Scanning USENET for Steganography



      After scanning two million images from eBay without finding any hidden messages, we extended the scope of our analysis. A detailed description of the detection framework can be found in Detecting Steganographic Content on the Internet.

This page provides details about the analysis of one million images from the Internet Archive's USENET archive.

Processing the one million images with stegdetect results in about 20,000 suspicious images. We launched a dictionary attack on the JSteg and JPHide positive images. The dictionary has a size of 1,800,000 words and phrases. The disconcert cluster used to distribute the dictionary attack has a peak performance of roughly 87 GFLOPS.

However, we have not found a single hidden message.

If you have questions, please check the FAQ first.


Image Statistics

Usenet Stego Graph
Graph created at $string\n"; ?>
The graph shows results from scanning USENET JPEG images for steganographic content.

Stegdetect is being used for the classification. Stegdetect determines a statistical likelihood for hidden messages. There is no guarantee that an image contains a hidden message.

All suspicious images are being processed by stegbreak.


Image Distribution in USENET groups

Usenet Stego Graph
Graph created at $string\n"; ?>
The graph shows the distribution of images in USENET groups. The majoriy of the images were found in the alt.binaries hierarchy.

The distribution is heavy tailed and group hierarchies not shown by name are reflected by category other, about 16% of all images.


Scanning Statistics

Usenet Stego Speed Graph
Graph created at $string\n"; ?>
The graph shows the speed with which we can scan images from the USENET spool. It includes all data processing from the compressed spool file to conversion to stegbreak format.

One spool file is about 125 MByte large and contains a few hundred images.


Stegbreak Statistics: JSteg

Stegbreak JStegspped
Graph created at $string\n"; ?>
The graph shows the speed with which the JSteg positive images have been processed by Stegbreak.

Disconcert distributed the job on 16 workstations. At the end of the run, one of the workstations dropped out.

The dictionary attack on JSteg did not find any messages.


Stegbreak Statistics: JPHide

The graph shows the speed with which the fourth quarter of the JPHide positive images are beeing processed by Stegbreak.

Disconcert distributes the job on about two hundred workstations. The cluster has a peak performance of about 870,000 keys per second. The speed is comparable to approximately seventy-two 1200MHz Pentium III workstations or 87 GFLOPS as a rough estimate.

The jobs run mostly on workstations provided by CAEN, MIT and CITI.

We did not find any hidden messages while processing the JPHide positive images.

Stegbreak JPHide speedStegbreak JPHide speed
Stegbreak JPHide speedStegbreak JPHide speed

Graph created at $string\n"; ?>

Copyright (c) 2001 Niels Provos