>>Hey guys, welcome to the talk. A Picture is Worth a Thousand Words, Literally. Deep neural networks for social stego.  Do a quick intro for both of us first.  Uh, I think we, we have you know kind of our thug and our skill sets that complement each other nicely for this kind of talk. Um, I’m a Data Scientist at ZeroFOX so I work in social media security. Um I did my PHD before this, I studied biological neural networks that were a lot more detailed than the kind of things that I’ll talk about today. But more and more I’ve been looking into how to, how to study big data, social media data specifically. Uh in terms of these type of networks. And here’s Mike.
>>Thanks Phil.  Uh so my name is Mike Raggo. Um been doing a lot of research in steganography for many, many years. Um, another gentleman that’s here today, uh who I presented with at Sky Talks and later at the Wall of Sheep, Chet Hosmer and I, uh authored a book called, Data Hiding, a few years ago.  Where it explored a lot of uh new and we tried to make it very groundbreaking methods, rather than yet another stego book.  Uh and this is kind of a spin off of that.  Which we’ll tie in and uh super honored to be back.  Um I last spoke here at Def Con 12, so I’m kind of a, maybe a grey beard old school.  And uh at that time, um I had spoked on stego and authored a tool actually in VB uh called StegSpy.  Um and I’ll get into that a little bit more detail kind of bridging that to what we’ll be discussing in more detail today.
When we took a look at the theme for Dec Con 25 this year, um Phil and I had already been kind of brainstorming this topic and when we saw the theme, unintended uses of technology, we’re like, well this brainstorm some of this research we had already spawned and started would fit in perfectly with the conference.  So in terms of leveraging that expertise myself more on the, on the stego side, uh and Phil of course, more on the uh the ML side.  Uh we kind of put our 2 heads together and said I think we can create a really cool presentation, some really cool research and and ultimately a really cool tool as well.
Um I’m sure the majority of you are familiar with 2600 magazine, The Hacker Quarterly. Um I know I’ve been collecting the magazine since at least 97 and it even predates that.  And um in looking at that, if you’ve ever looked at some of the covers of these magazines uh and you put them in different types of light you’ll actually find hidden messages on the front pages of these magazines. So, if you’ve got an archive of some of these old things and you’re hanging out one night having a few beers it act- it’s actually kind of cool to kind of break them out and see what kind of messages you can find amongst them.
So our agenda is we’re gonna kind of go through the evoluti- uh evolution of steganography and uh kind of bring you up to speed um and, and, and also really more kind of focus on everything that kind of led up to our idea around um, using uh social media uh for covert communications.  And some of the ideas and cool research that others have done that kind of inspired our research.  Furthermore we’ll then kind of get into uh DIY or do it yourself type of social stego. I’ll walk you through a lot of the testing.  Um that we went through to kind of vet out the various methods we could use for hiding data across social.  Um across images and now across audio and video.  Um and the different types of insertion techniques that we employed.
Um and then Phil will take over, we’ll, he’ll get into uh deep neural networks for social stego, um red and blue teaming approaches and then we’ll collaborate on the wrap up and kind of uh real world use cases of this.
So one of the things I always refer to especially when I present at forensics conferences is kind of um just kind of taking a step back in what is covert communication. And if you refer back to uh the US Department of Defense, uh Orange Book back from 85, they describe it as any communication channel that can be exploited by a process to transfer information in a manner that violates the system’s security policy.  They take a step back and you look at steganography or covered rioting, secret communications, things like that.  Before we really go into the internet era you had um, uh the Code Breakers book that came out.  Um by David Conn, anybody here ever read Code Breakers?  Really really good book, came out in the late 60’s and then a second edition in the 70’s. fantastic book, takes you through the history of different types of covert communications, dating back to ancient times in the Egyptians, in the Romans and, and uh the Chinese.  Um fantastic book and from that you can get a lot of ideas um, more from a digital standpoint about the various ways in which you can communicate covertly. I know I refer back to the book daily and keep it right on my desk all the time.  Really inspires me to go back and say let me step away from the digital side of this.  What were the methods they were using way back when?
It we take a look at the internet era and the evolution timeline, Neal Provos and many others around the 90’s and into the early 2000’s were analyzing and there were lots of apps, um that were coming out um, for various operating systems to allow you to perform different types of stenographic techniques.  These employed a lot of methods primarily focused on hiding in images.  Whether they be JPEGS, GIFs, uh and other types of formats.  And you can additionally employ uh, crypto to not only hide the message within an image using a variety of techniques we’ll talk about next but further more encrypt it, cypher it, um even disperse it across the image.  But people have certainly expanded upon that since then there is plethora of different ways you can do this that we’ll cover next.
As things progressed people started to kind of take a look at the mobile aspect to this. And they’re more than a thousand movie apps that will allow you to uh leverage stenographic techniques to hide message, to hide a picture within a picture, to hide content in audio, in video as well.  And furthermore Chet Hosmer and myself presenter here the last few years at both Sky Talks and uh the Wall of Sheep covering different techniques for uh hiding within different types of video formats and then uh later on today also presenting on covert TCP, covert UDP, and covert WIFI.  And so there’s a lot of different ways in which you can leverage stenographic techniques for hiding information. But this is kind of what led up to what we’re going to cover today in terms of social. 
So just kind of revisiting some of the ones that were very inspiring to us.  Uh, one particular app called OpenPuff kind of expands on what we described already in that, hey I can have an image in which I can hide content.  Maybe I mess around with the metadata, maybe I append it to the file, maybe I use an LSB technique, DCT technique, or other techniques for that matter.  OpenPuff basically said I’m gonna use multiple images and I’m gonna hide my content across multiple images.  And then I’m gonna throw off the forensic investigator by creating decoy files as well.  So if you had all of the images and you were the investigator trying to piece meal back together, that original message you would be throw off by some of the pictures actually having decoy data making it extremely difficult to not only identify that they’re hidden content there but actually putting it all back together.  Or performing stego analysis to reveal the original hidden content. 
We also saw uh, a few years back where Operation Shady Rat and the research surrounding that was released, right? And one of the ways uh they did that was it was very much weaponized by uh an actual call back to a wordpress site, other sites for that matter would get updated instructions hidden within an image that it would parse, extract and update the command and control information.  Additionally, there was some great research done at Sands, around expanding upon alternate data streams within the Windows NT operating system such that you could do or perform stealth alternate data streams.  This thereby uh some of those things that are built into the uh uh NT operating system like LPT and other things can actually also be exploited uh leveraging alternate data streams but in a much more stealthy manner.
Verging that to today ya know, lot’s of different types of protocol exploits for this, uh as well as I did some research around a smartwatch.  Hiding data within that, presented that at Def Con demo labs.  And then further more within MP3s which we’ll come back to at the very end of the presentation about where we’re going with further research.  So breaking steganography out into these different categories many of which we explored for the reteach. 
Linguistic stego basically modifying the text and either adding additional words, additional text, misspelled words and other type of linguistic approaches can allow you to s- hide information in a very simple way and we’ve seen this employed on Twitter and other um, uh types of social media.  Uh as well as Pinterest to allow you to go ahead and post uh something to one of these uh social media uh networks and while although it looks like a bunch of words done, really don’t make a whole lot of sense to us the intended recipient, the bot or something else is extracting the pieces of those that they’re most interested in. 
From an image standpoint lot of different methods, you can employ.  Uh in terms of JPEGs for example, you have EXIF or even JFIF whereby there is metadata at the beginning of the actual JPG file. Some of that may actually be leverages when you take a picture on your smartphone, you post that to social unless they remove that metadata, ya know they have, there could be your location information, there could be uh overriding of other information such as what phone it was taken from, the time and data and a variety of other information.  But that same metadata or those metadata fields can be used for hiding data.  Additionally, there are other techniques in which you can append beyond the end of file marker.  Or uh using a least significant bit technique or frequency as well.  And we’ll talk in more about that in detail and how we’ll use that technique within social media.
Additionally, done lots of research both across audio and video. Remember with an uh an MP3 for example that typically there’s a copy of the album cover embedded or JPEG embedded within that MP3.  If I can hide stuff in an image why can’t I hide it within the JPEG that comprises the album cover that’s embedded within the MP3 itself?
And then for those who author a lot of these stego programs may additionally uh, uh employ different types of uh cypher techniques, uh Vision Air for those, those of you who know was used at, at uh CISCO for a long time.  Uh XOR and many other types of uh crypto.
Alright so what do we do with our actual research?  Obviously when you look at uh social media and social networks there are a variety of uh images that you can target and that’s exactly what we did in our testing.  In that we said, ya we’ll take an ethical approach here but to what extent can I hide information in a profile image, in a background image, in addition to images that I may actually post or an album, book or collection I may actually create.  Additionally, can I do that over DM?  Or can I actually have a link that points to another site where that image with the hidden content resides that’s actually rendered and presented within the actual social network on that particular post or that page?
It's important to consider when you’re analyzing and looking to leverage uh, these image formats as a carrier to determine to what extent can I hide data?  And what are the different compression methods that they employ?  If you look at JPEG, PNG, TIF, GIF and BMP files most of these are lossless but they do have some lossy capacities.  One might argue for example while although GIF and, and some of what was originally patented was a lossless technique it does use compression and in other formats of GIF you may lose data as it’s compressed.  Bottom line a lot of these image formats leverage a compression and a lot of that had to do with the early days of the web so you can post it and that file simply wouldn’t be quite as big when you visit the page over a modem connection it would render much quicker for you.  But what exists today is a lot of information about those compression techniques that can either be targeted as well as information about how they’re formatted in terms of the metadata the file markers and  a lot of other characteristics. 
So in terms of a research then we said, hey, yo, of all of these which ones can we actually model out in our testing and test for each social network and all the different variables that we previously outlined?  With Least Significant Bit for example.  W- basically uh, allows you the ability to go and modify the least significant bit from a zero to a 1 or a 1 to a zero but only modifying the least significant bit across the file or dispersed or even at specific file markers repetitively throughout the file.  Such that the recipient who may use the same program or technique to reveal it extracts all those least significant bits to put them back together to either reveal the original ASKI coder or reassemble an image or something else that was hidden within that image.  Other techniques that we employed, a lot of times when the social networks render a JPEG file um they’re looking for the end of file marker which in a JPEG is FFD9.  What we found in a lot of instances was we could do something as simple as just appending content after the end of file marker which for some of these net- social networks was actually it completely ignored.  And what is rendered is just what you see up to the end of file marker.  Just either ignoring or throwing away the extra content.  But we found out that the survivability was 100 percent because when we downloaded it after uploading it, it would survive.  And that kind of leads to my last point which was 1 of the other techniques we kind of employed with this that I personally had never done before is well let’s upload it, let’s see to what extent they jam it, they recompress it, they strip the metadata and take that post download file and now actually hide content in that and post it back.  Does the social network uh look at it as now, hey that’s a file I’ve already touched, it’s in my format I’m gonna ignore what’s in there now or do they recompress it?  So that’s also part of the testing. 
So just a very high level testing workflow.  We used a lot of these different types of hiding techniques within an image, uploaded it to a variety of social networks, then downloaded it and tried to understand the difference with the characteristics and what kind of content would or would not survive.  So this spreadsheet is kind of a breakdown of the results of the initial testing.  As you see here whether it’s interest, uh Slack, uh and others ya know we went through a process of hey, let’s try the profile file, uh, uh photo.  Let’s post an image as part of a post. Um let’s try the background image.  Um does the picture residing in an album, a collection or a book have any impact one way or another on this.  And then that round trip of, hey, ya know I uploaded the file with the hidden content, it went ahead and recompressed it and removed the meta- meta data thus destroying what we had hidden or essentially jamming it.  But if I, I then download it, modify it and repost it, did it actually survive?  So, with Pinterest for example, and Slack we were able to post images and hide content in a number of different ways that included insertion techniques.  Uh whether it be prepend, append, or within a portion of the file that may be ignored.  Uh modifying the metadata and also using Least Significant Bit to hide content. So anywhere y- obviously, you see here a yes, that’s highlighted in green is where we had a success rate in terms of these methods. Uploading it to the social network and then simulating a recipient, going out there, treating it like a dead drop and downloading it.  What’s interesting about this is we’re using 1 of the most, ya know open forums for sharing information from everybody to see.  But yet taking equal and opposite approach of actually uh secretly hiding data right in plain site that nobody really sees by actually observing it.  Lastly amongst all of that we started exploring MP3s and I’ll come back to that later with Tumblr and how we actually were successful in hiding content there.  Because that’s sort of the next stepping stone with our research.  So this point I’ll turn it over to Phil. [applause]
>>Cool, thanks Mike.  So to, to build off that, um we have a lot of research now and we have a lot of results about how we can go up and s- and post images and download them and see what type of effects are being rendered by the different social networks uh in this round trip.  Um so we want to build off of that and for, for the instances in which the social networks are doing some kind of compression or some other type of uh backend uh re-rendering of the image we want to find out a way how to uh, retain the ability to implant stego, upload the image, download it and have that message survive.  Um, so deep learning.  I’ll, I’ll talk about that in a minute.  To zoom out a little bit first.  Why social networks are such nice conduits for steganography. We all notice, um they’re massive.  There is so much content that is being poured across social networks on a, on a second by second basis um it’s incredible, right?  The scale is out of control. It’s 4, almost 5 billion pieces of Facebook content shared per day, 100’s of hours of YouTube shared per minute.  500 million tweets per day, about that, etcetera.  So the idea here is that there’s so much bi content being poured across it should be fairly trivial or fairly anecdotally simple to, to hide some piece of data in that huge stream of data being poured across.  And uh even though it’s public have someone, a recipient of that message be able to take that data from the sender, decode it and understand it while everyone else doesn’t understand it, right?  So that they have like a special key or certain way of uh de um decrypting that message. 
On top of that social networks themselves are evolving. So initially when it was Facebook and Twitter and the initial like My Space a lot of the way that we as humans communicated with each other was through text.  You know. Um, it was very simple, 140 characters. Uh we got the message across, text messages more and more now um and the older social networks are catching onto this but the way that we communicate with each other is mostly through images. And there is a lot of reasons for this um and there is a lot more engagement that gets um created as a result of this.  But networks like Instagram, Snapchat, Pinterest, Tumblr, these type of networks where the primaril- the primary avenue of communication is over an image, whether it be a meme um or a, or a photo that I, that I take on stage and send out to my social network. Um we’re living more in the moment and we want to share that instantly to other people.
Um, so in addition to the fact that they’re heavily trafficked and they have this public nature, um social networks provide convenient APIs for, for sharing content uh for developers and the apps that they build.  And so it’s fairly trivial for me if I have an account to design uh or to build some code that makes it so that I can automatically upload an image to social network and then in, in uh in turn download that. Um if you’re worried about attribution, fake account creation is pretty trivial on all the social networks.  Anyone can go up and assume some identity.  Um, when you’re worried about steganography and the more malicious kind of steganography which I’ll get into in a little bit.  Um if you’re, if you’re a, an IT guy in a company, from a network perspective or from, from a, from a, um forensics perspective social networks look completely benign. Interacting through a social network doesn’t raise any red flags. Um it’s expected almost, people post on social media at work all the time. 
Um in addition to these kind of characteristics you have a lot of examples of these things happening in the wild.  And I’ll go over that now.  Um I put it up now and to kind of black hat versus white hat.  And the most prominent example of this black hat example was HAMMERTOSS. And of course uh this was discovered by FireEye a few years ago.  Um, and this was allegedly the Russian APT 29 group that um, that once the malware was installed locally on machines it would go up and look for um different social network users on Twitter and if the user would exist it would look for a hashtag and a URL that is associated with the last post they made and if that existed um at the URL there would be a link to, typically a Github page which contains an image and within that image with steganography BCF, all these, all these layers of obfuscation here that have been implanted by the attacker just to retain command control and to, to communicate with the infected machines. 
We have other examples of this, not just on Twitter.  More recently you had uh, the allegedly again. the group Turla doing this with Britney Spears’ Instagram comments.  Um so they’re getting pretty creative in the way that they uh maintain their command and control infrastructures.  And so on the other side of the page here you have more white hat research and this, so, so, some pretty smart people last year at ENDGAME presented a way to um, deliver powershell code through Instagram images using discrete cosine transform uh, steganography and a- again this was away f- to maintain a command and control infrastructure and to um, to keep contact with the malicious computers or the infected computers or um, workstations. 
So, in addition to that you have uh, pretty cool tool I’d like to point you guys to called Secretbook by Owen Campbell-Moore.  This was a Chrome extension that made it super easy for you to go up and put a little message into a Facebook post or a Facebook image and upload it or um upload it to the network and then download it and encrypt it and be able to recover that message on the other side.  So the way that he did this and the way that the, the folks who did the Instagram research both did this um was that they were able to look at the quantization tables that were being used by both Instagram and Facebook and uh, and basically reverse engineer those things and once they knew or once they had the knowledge of what, what the, the quantization table or basically what, what the JPEG algorithm is doing behind the scenes they were able to predictably and reliability transfer data through the social networks despite the fact that they tend to declobber or, um or really um compress the, the crap out of the images.  Um, and there is other heuristic discrete cosine transform schemes that exist.  Um another reason why social networks are, are kind of nice conduits for social stego uh is that um, from, from like a machine learning perspective it’s really easy to go up and get data. 
Um, as a, as a data scientist you need access to data and label data and so, it, it’s very easy uh because social media provides permissive APIs I can take a bunch of images, um on my local machine and either upload them to an album in bulk and then download them or I can do it the hard way uh whereby I can just take a 4 loop on my local machine and add some time jitter to it so maybe to, to avoid some detection if it’s very regular that I’m uploading images it might be very unpredictable and, and they might take notice.  And so uh I can go up and I can piece by piece post each of these images to social network and then just download them at a click of a button uh from a Facebook album.  Or not just necessarily Facebook but any other kind of social network. 
Um so to get back to this workflow that Mike introduced, uh we have a pre-uploaded social network image, um our server image that we want to upload to social media and then next we want to download it and the message that we stored before we uploaded we w- we want to be able to recover it. And so some of the social networks that Mike identified before, for example Pinterest and Google plus and Slack and Flickr, they don’t do anything to the image when you, when you upload them to them to the social network.  So, so there’s no reason why you can’t just do LSV out of the box or append it to the end of the file or change the metadata.  Um they’re not doing much so this for me is not interesting, um I care more about the fact that um different social networks um like, like Instagram and Facebook and Tumblr uh are compressing the image.  So I wanna isolate these and I wanna be able to say um despite the, these alterations that are being made I wanna be able to still pass a message on, on the pre-upload side and recover that message after it’s downloaded.  That’s kind of the challenge that I, that I posed for us. 
Um, and so why is this such a challenge? It’s because you have different j- uh jamming techniques that are being employed by the social networks, um, when content is uploaded to the backend of their servers. Um and so they do this for a few different reasons the most obvious reason is that when they wanna serve up content to the users um they want to make it so that their users have a seamless UI or a seamless user experience should I say. Um they wanna be able to serve up images as you scroll through a timeline or as you scroll through albums.  You wanna be able to uninterruptedly look at these images and render them on the fly.  And um, because this is a very expensive operation typically on your mobile device uh they tend to compress it so they make it, they make the image smaller and when it’s smaller it’s able to be fed quicker and more easily and more conveniently.  And it’s not just compression there’s a lot of different other uh types of techniques that are, that are used like lowpass filtering.  Mike said stripping the metadata.  Um they could even convert the file type so if you upload a PNG the social networks might convert it to a JPEG. Um, and there’s other type of image alterations you can do like alpha compositing that might be, uh might be done.
But there’s anyway, here’s a slew of different operations that are done by these social networks and I wanna say and I wanna kind of prove that despite these things we can still uh create a message that survives the uh, the transit through the social network.  So this is a pretty fundamental um figure that I’ll talk about for a few minutes.  Um, when you, when you take a an image uh and you implant it with some stego and you or, or some hidden message, whatever it may be and you upload it to social network and then you download it.  You have 2 images.  You have your pre-uploaded image and you have your downloaded image. Um so what we did is we looked for a bunch of different images like this.  Uh what was actually happening to the, to the individual pixel of these images as they transited through the social networks.  As, as you can see this is a pre-posted pixel difference histogram.  And what it means is that if I compare pixel to pixel the pre-uploaded and downloaded image um what is the difference in our GP value that I’m seeing from pre to, from pre to post during the transit?  And the peak here for, for both Tumblr, Facebook and Twitter and the other networks that we saw when we compressed these things is centered at zero and when it’s centered at zero that means that the majority of the pixels aren’t changing.  Alright so, so this is good news. 
Uh that means even though there’s compression and other types of abrasions happening uh we might be able to somehow predict which of these pixels aren’t changing in advance.  But this is a really hard task because I can do it for a single image and I can do it for a few images but I wanna be able to know before I do the stego which image locations, which pixels are most um, are most embeddable are least likely to be changed by the social network transit and the compression and other stuff that they, that they do upon the image, right?  So basically from a machine learning perspective uh we take a bunch of data and we take a bunch of images and we label it in a bin- binary fashion um all the pixels in the image which are least l- least likely to change so they have zero difference between the pre, pre-uploaded and post downloaded images.  We label those pixels with a 1.  Those are prime locations. Prime carrier locations for us that we wanna target with our message that we wanna embed in the image.  All the other ones where you have some slight pixel differences happening between pre-upload and download uh we don’t care about them. We want to toss those away. If we try to change some bit and store some message in those pixels it’s going to be changed, alright. 
Uh, so you can do this and you can scale this up.  So for example there’s a lot of image libraries um, and we as a company should note that. And some of our own images and selected a bunch of samples because the algorithms that I’ll talk about in a little bit um rely on a lot of data to be able to learn which locations with or which pixels within the image are most likely to survive um survive transit.  Uh and we can automate the uploads and the downloads using the API functions.  And so in the end you have let’s say we start with 50,000 um images.  You have 50,000 pre-uploaded and you have 50,000 post downloaded. And you can go and you can create labels like I said before and you can do the diff and you can create the labels so you have basically binary masks for each image.  Alright.
And so then the question is, great you have these labels, you have the for a bunch of different variable images, which locations were uh, are most likely to survive uh social network transit.  Um now how can we go about predicting that for yet unseen images?  Um and so to do that we want to use a neural network.  Um but classic neural networks like this uh simple 1 layer hidden, with 1 layer single hidden layer types they don’t scale well to images.  Um when you have so many dimensions with the width of the image and the height of the image and you have the 3 RGB channels, what you end up getting is an unimaginable number of weights that would take way too long to compute. Um and so starting in the 2010’s or even a little bit before that there was a class of algorithms that came out called Convolutional Neural Networks.  And um, and these types of networks allow us to encode the properties of these images into the network itself, into the network architecture itself.
So instead of dealing with hidden layers that are single dimensional we’re now dealing with um, with multi-dimensional hidden layers. And you’re basically kind of like the human visual field is doing, I won’t dwell on this too much because it’s, it’s probably outside the scope of the talk but kind of like the human visual field is um, uh the visual system is doing, um it’s taking convolutions or filters over each layer and it’s in each layer it’s responding selectively to activations in the previous layer.  And so this has been proven to be um, really effective comp- for different computer vision tasks like object classification and facial recognition.  Uh a lot of the big uh companies are using this now at scale and they sale this as products to you. Um but like I said before we wanna pose this as a binary classification task for each individual pixel.  Given an unseen image I want to predict for each pixel which or ask the question for each pixel, is this pixel likely to change when I, when I upload it to the social network and download it. Or um is it likely to be one of the pixels that are gonna, are gonna change um and therefor I should kind of toss that away and not store a message there? 
And so this task is akin to image segmentation. I’ll go into this, into more detail on the next slide. But you want to create a binary mask for each image so you basically want to select the pixels that are, that are most likely to, to keep your message intact and deselect the ones that are least likely to. Um and these, there’s, these’ a lot of reason why you would do this.  You can imagine the path that the image takes.  As it gets compressed the social network has a function that’s being uh imposed upon the uh upon the image.  And feed forward networks have very nice properties so that you can approximate these types of functions. Um so we set up uh, we set up a model uh and the model is built on uh built using python, um terrace using a tensor flow backend.  Um if anyone has more details about the, more is, more interested about technical details come find me after.  Uh but we used a GPU uh and we used a, a neural network with 23 layers fed through um, through ReLUs use that was kind of contracting and expanding. And it looked like these type of networks.  So um if you can imagine finding pixels that are least likely to, to be changed as you upload an image to social network it’s akin to uh identifying pixels and images, um let’s say for objects right.  So on the left hand side this is an image taken from Deep Mask, um and the idea here is that you want to do object recognition so you want to selectively choose pixels that are most likely to contain objects.  On the right hand side, this is a pi- this is a picture from u-net and the idea here is, is that you have more of a biological use case where you have cells where you might be interested in like analyzing ultra sound or, or doing some kind of cancer screening or cancer detection. More and more of these tests are being um, are being accomplished by neural networks and more automated techniques.  And less so by surgeons or, or doctors.  Uh so the idea here is that you have specific cells that you want to isolate from the 4 uh you want to isolate the foreground from the background of this image And the same thing can be done or the same idea can be applied to um identifying pixels that are least likely to be clobbered or least likely to be altered during social network transit.  Although it’s not as pretty, you know you’re not identifying objects anymore on the right hand said you see the base image and then on the, on the bottom you see the pixels that are most likely to, to be able to contain or be able to survive um social network transit. So these are the ones we want to select for um, for embedding our hidden message in. Um but it, it works to some extent right? So we’re able to predict using a bunch of different image uh which pixel locations for an unseen image can survive the, the throughput. 
Um and so we have several different caveats to this. Um first we, we impose constraints upon the neural network. So that instead of uh being able to willy nilly e- embed a ton of different data uh we actually want to make sure that the difference between the pre and the post uploaded image um doesn’t look completely different.  Otherwise if we go too far in that direction you get in the, in the zone of watermarking where people are trying to put too much data in the image to make sure that it survives compression. We don’t want to do that we wanna make it for a human still imperceptible.  You don’t want the human to notice that the message is stored inside there.  Um, uh and so this affects the capacity to some extent.  Uh but there’s anyway there’s different constraints that you can encode on these algorithms to make sure that um that they don’t, that they don’t show up for uh, for a human.  You can do different things like MSSI uh uh MS SSIM or use peak signal-to-noise to impose that constraint.
Uh and then the results we were looking at, and I, I’ve  yet to quantify this but uh the, the learnt pixel locations that are most likely to, to survive  social network transit with a message, um correspond to regions of im- of the image that are that tend to be more complex and busier and that’s because of the constraint we imposed upon it.  Um, that we wanna minimize the visual difference between pre and post image.
And so what’s the novelty here, um you know with, with spatial steganography traditionally and sp- by spatial I mean that you’re actually flipping bits or you’re doing LSB or, or even 2 um the 2 less bits or whatever you want to do.  Uh typically uh this, this technique tends to have more storage capacity and so you can, you can imbed uh larger payloads within your image.  Um compared to frequency based stego which is where you’re encoding the message inside the discrete cosine transform coefficients. However typically it’s been thought of as being compression or um any kind of alteration, intolerant.  And so here we’re trying to show that’s not necessarily the case, alight.
And so, previous ad hoc approaches were, were based on, okay I have a bunch of different um, images and I’ve, I’ve a network here and I wanna just try and see what happens and, and uh and present the result of, of what’s actually going on, what can I actually do.  Um here we wanna actually create a feedback loop and use the data on the other side and let it inform future data and make future predictions for us.  And in principle although uh the results I’m showing you here today are, are being used on Tumblr uh this should generalize across social networks that, that use compression.  Um, and so the nice thing here is that uh you don’t necessarily need to know the implementat- implementation details of what’s going, going on behind the scenes.  Uh you don’t need to necessarily know in advance that the social networks imposing this specific type of compression um, or with this certain specific range.  Uh you can just kind of let the data and let the machine learning algorithm do that work for you. 
Uh, uh and then just to kind of um, to kind of contextualize this.  I got up on stage last year and, and gave this slide and the idea here is that um a lot of, a lot of past thinking in, in uh information security based on machine learning but applied to defense so whether it be um  network intrusion detection or spam filtering or um antivirus prediction, um people tend to associate machine learning with being able to detect this stuff in the back as you’re doing. Um but last year I was up on stage with my colleague John Seymour and we talked about a way to generate text and generate messages on Twitter that people were much more likely to click on.  Um, uh and so the idea here was that you could use uh a neural network and train based on people’s preferences and their likes and interests based on their Twitter timelines and actually deliver them a payload and deliver them uh a message that looks a lot like what uh is something that they might be interested in clicking on. 
Again, uh and so the idea here is that you can kind of mix the effectiveness and the high accuracy.  Um but the get away from the high manual labor associated with spear fishing. Um and still um, and scale it up to the level you would see with fishing.  And so kind of the, the overarching theme here is that um red team or offensive techniques and machine learning is rising.  Um there’s a growing number of examples in literature um both the stuff we works on last year and this year when it came to steganography and micro-targeted social engineering on Twitter but also when it comes to password cracking, captcha subversion. Um Hyrum Anderson gave a talk recently about antivirus evasion and so th- these type of things are being uh employed more and more and um, in, in fact it’s easier that defensive machine learning. You don’t need to necessarily go out and get a lot of labeled samples to be able to do this effectively. Here I was able to automate the, the labels I got just based on differences between pre and post uploaded images. The work we did last year with micro targeted social engineering.  We use um, we didn’t even need labels, um it was unsupervised in nature.  So, we’d let the network spit out a tweet that looked like exactly s- what someone might post previously, right.  On top of that, um the success matters less um for the red team ya know. If I go out a 100 times and I succeed once, that’s great. For the blue team it’s the exact inverse, right?  And so, there’s like of like a, a slew of these different characteristics that are conspiring to make attacks easier and make machine learning a, a viable way to do this.  On top of that the retreating barriers to entry. 
Um, but I don’t wanna worry people here.  I think red team machine learning and offensive machine learning is a positive development for the community. It’s going to start keeping us honest.  If you apply statistics and make the attach more statistical in nature, it’s going to make your defenses more robust and fortify them in the long run. And uh, and I think people like Elon Musk who, who tend to be more fear mongering about AI, um you know they, they might have other ulterior motives to do that but I think i- in the long run for, for security this is going to be really a really nice development. Uh it’s only going to improve security and the faster this is realized the better we’ll all be. 
>>Yeah, so ya know from a forensic standpoint and trying to perform steganalysis right is, is quite difficult.  And so this sort of um simulated offensive approach to testing out all the different characteristics in ways in which you could potentially hide data and all the different methods that we’ve outlined so far from an ML perspective that is, does that allow you to get ahead of uh the people that may be actually looking to maliciously exploit that? Right?  And from that learn other ways say which you can further jam or prevent those techniques.  I think that’s ya know some of the things to consider here.  Um, in looking at the general use cases and we’re almost out of time here, ya know coming back to some of the actual use cases from a data exfiltration standpoint if somebody is communicating covertly, posting these, ya know they, they look very benign right when people are posting images to social and although it may be a medical environment a government environment or something else for that matter, when people post that you may be observing that on the network. You may be observing what they posted. It may look very, very benign but as we’ve demonstrated these techniques definitely circumvent, a majority of your IDSs, malware protection systems and, and other types of security products. And so, it remains a big threat and a big risk. Furthermore, it makes a perfect dead drop, right? Hiding in plain sight.  Whether you played Zelda on Nintendo and try to find that brick where that ya know item was hidden behind, to a digital ya know, applied perspective of that.  This provides a great mechanism for performing that.  Furthermore, it’s been demonstrated in the wild and there are real use cases like HAMMERTOSS and others in which the CNC was weaponized.  Um and then uh one other thing I’ll mention in terms of privacy, ya know when we post those images to what extent is that data stripped away?  Uh and conversely how can that be further used to communicate covertly?


>>Cool, yea and, and you can also think about this in terms of the, ya know bypassing the censorship type of situation more and more, ya know governments of the world and a lot of western governments too are uh, are imposing restrictions of what can and cannot be posted on social.  And so, this was one of the ideas that was um, that was emphasized in the, in the Chrome uh tool talk.  The, the one by Owen Campbell-Moore is that, these type of uh hidden messages allow you to still retain the ability to, to bypass these online sensors and still get your message across to the people that you want to reach.
Uh and then lastly kind of the one of the purposes we wanted to emphasize here is that uh we which want to raise social media security awareness in general. Um a lot of people may not even be aware of the fact that when you upload an image from your phone or from your camera the metadata or other identifying characteristics might be still there.  And this might be a really nice way or a really easy way for government to co- uh government to track you and track your location and other type of metadata that’s surrounding um that’s surrounded the images that you’re posting.
>>So just to wrap up then. Uh we’ve started to spread into uh video and audio. So um, one example is some of the uh sites will allow you to upload audio but it will get converted from an MP3 to an MP4 but in others you can upload an MP3 and within that a lot of MP3s have that field for a JPEG so could you hide information within the JPEG within the MP3, upload that to social nad would it survive. In our test cases so far, yes it has. So you could certainly leverage that from an audio and even a, a video standpoint too with MP4s. 
>>Eh, and really quickly in terms of mitigations, you know, we’re not, we’re not presenting in, in defeatable or un, un unrefutable uh technique here.  There’s um, there’s things that can be done. You can, you can in- you can imagine more sophisticated and dynamic jamming techniques. So, switch over the quantization tables more often and more frequently and there are different ways to detect steganography as well that are well vetted out in the literature. Um and so, ya know that’s it.  Here’s some summary points and we’re going to be around for questions after this if anyone is interested in talking about it.  Uh I’m going to release some code in the next few weeks that will allow you to play with steganography on different social networks and automated through your um, um through, through your user.  Um, and if anyone else, this is, this is in a lot of ways this is a work in progress so if anyone is interested in these types of techniques and this approach um just let me know and I would love to continue and collaborate on these ideas later.  Thanks. [applause]
>>Great thanks everyone.  [applause]