Qualitative Analysis of Dynamic Pattern based

Steganography Algorithm in providing

E-Banking Security
P. Thiyagarajan, G. Aghila, V. Prasanna Venkatesan
CDBR- SSE Lab Department of Computer Science, Pondicherry University, R.V.Nagar,
Kalapet, Puducherry 605 014
Email: thiyagu.phd@gmail.com, aghilaa@gmail.com, prasanna_v@yahoo.com

Abstract Steganography is the art of hiding secret information in media such as image,
audio and video. The purpose of steganography is to conceal the existence of the secret
information in any given medium. In the world of E-Commerce internet banking is one of the
indispensable applications. Security issues are to be addressed critically in internet banking
applications and it directly influences the comfort. This work aims at applying newly proposed
Dynamic Pattern based Image Steganography (DPIS) algorithm in the E-banking domain.
Using DPIS algorithm how the critical E-banking major security issues such as transaction
security and phishing threats are addressed discussed in this paper. DPIS algorithm has been
evaluated qualitatively and need for quantitatively analysis is emphasized.
Keywords- Image Steganography,E-Transaction,Phishing,Plug-in,Embedding,Extracting.

1 Introduction
Information is Wealth, is a profoundly known statement. This goes inherent in all the aspects of
business. With information serving a critical role in e-banking industry, preserving it becomes
the most challenging activity. This paper presents how steganography enhances the internet
banking transaction security and prevents phishing attack which are considered as top security
issues in E-banking industry.
Dynamic Pattern based Image Steganography (DPIS) algorithm is used in

E-banking

application to enhance the security of data with is transmitted between client and server. This
deals with the step-wise transition of data and suggests a mechanism to cover the information

from the intruders. The security is guaranteed by the inclusion of a stego-layer in the client and
server side.
Phishing is prevented by DPIS algorithm by importing the algorithm as plug-in and installed in
browser. Architecture, working model of the above methods were discussed and it has been
evaluated qualitatively and it also emphasis the need of quantitative analysis of the above
proposed methods in E-banking.

2 Security Threats in Internet Banking - Survey

Internet banking, otherwise called anywhere anytime banking, has become an indispensable tool
in the modern banking arena. With the help of internet banking, one can access any information
regarding their account and transactions, any time of the day. One can regularly monitor the
account as well as keep track of financial transactions, which can be of immense help in
detecting any fraudulent transaction. The main issue of the internet banking analysed in the
survey conducted by online banking association in the year 2002 [9] is security.
Security is a crucial requirement of an E-Commerce system [6] due to the fact that the sensitive
financial information that these systems transmit travel over un-trusted networks where it is
essentially a fair game for anyone with local or even remote access to fetch the confidential data
in any part of the path followed.
Phishing is another important security threat arises in E-commerce. Phishing is done by
developing by a website which looks exactly similar to original banking website. The link to the
fake website is transmitted mostly through mail. User who gets the mail which contains fake web
address on clicking it is redirected to fake website which asks for user credentials. Once the user
enters their details it will get stored in the hackers database.
Internet has become parts of life some way or the other without which individual cant survive.
With almost all processes automated, the processing time has become almost negligible which is
directly proportional to the efficiency of the system as a whole. Christos K.Dimitriadis et.al [5]
in analysing the security of internet banking classified the attacks broadly in to four categories.

They are

Cracking user credentials during transmission

Phishing

Injection of commands

User credentials guessing

In this, topic of focus, cracking of user credentials during transmission and phishing attack have
been analyzed and novel method has been proposed and implemented.
2.1 Transaction Level Security Literature Review
Financial institutions offering Internet-banking should have reliable and secure methods for
transactions. In this section some of the security mechanisms provided during transmission from
literature have been discussed.
Transaction level security [8] is also ensured by two factor authentication which is ensured by
something that user has (bank card), something that user is (finger prints), something that user
knows (password).
Hiltgen et.al [8] in his paper targets Man in the middle attack by Short-time password solutions
based on a password generating hardware token which are available from various manufacturers
such as RSA Security, Active Card or VeriSign. The RSAs Secure ID solution is the most
prominent example. It consists of a small device including a LCD display and one button the
user can press to initiate the calculation of the next short-time password.
Usage of cell phone services for secure transaction. For each transaction the secret code is send
to the users mobile. Only upon giving the correct code which is transferred to the mobile the
transaction will be carried out.
Secure Socket Layer (SSL) is another mechanism which was proposed for secure transaction.
AES is the most commonly used encryption algorithm [11] for high end security applications.
Recently it has been proven by cryptographers that the AES is breakable [1].

Though there are many transaction security mechanisms involved to safe users transaction yet lot
many theft occurs in internet banking and it urges the importance of some new concrete
mechanism to uplift the security in internet banking transaction.
2.2 Phishing Literature Review
A huge variety of phishing defense mechanism like email authentication [3], email filters [4],
anti-phishing plug-ins [5], malware scanners, personal firewalls, and other authentication
mechanisms [6] are reported in literature.
In this section Anti-Phishing plug-in such as net craft Toolbar, Trust Watch, Phish Net 1.2 and
Spoof Stick which are relevant to this paper are discussed in detail.
Net craft Toolbar
The Netcraft Toolbar [7] uses Netcrafts databases to track web site information such as sites
hosting location, country, longevity and popularity help of this information the website will be
found legitimate website or phished website. If the user accessed website attributes matches with
the already existing attributes in the Netcrafts database then the website is considered to be
legitimate website. If the attributes doesnt matches with the stored data base value then the
website is phished website.
Trust Watch
Trust Watch [8] works with third-party reputation services to determine whether the given site is
legitimate or phished one. Once the user types the URL in the address bar the text in it is
compared with the list of black listed URL database. If the match is found then the user will be
prevented from accessing the site else the web page will be loaded.
Phish Net 1.2
Phish Net 1.2 [9] is a sensitive user-interaction plug-in that seamlessly protects users from Web
phishing scams. With complicated behavioral analysis approach, the plug-in detects emails that
either originates from suspect locations, or emails with suspect content, that maliciously refers
users to phish sites.
Spoof Stick
Spoof Stick [10] makes it easier to spot a spoofed website by prominently displaying only the
most relevant domain information. Spoof stick works on the basic principle of domain name.

Domain name is obtained from the URL. If you are on a valid eBay website Spoof stick will say:
"You're on ebay.com". If you get fooled by going to a spoofed site, for example
http://signin.ebay.com@10.19.52.4/ Spoof stick will say: "You're on 10.19.52.4".
All the plug-in reported in the literature survey one way or the other depends on the database
which contains the black listed URLs. If the user types the URL in the address bar, the typed URL
is checked with all the entries in the database which is time consuming. Another drawback in the
existing techniques is that until the newly detected phishing website is added to the black listed
database the users are prone to the phishing attack.
These surveys on security mechanism on transaction security and phishing clearly points out the
need for a technique which ensures more secure in E-banking. In this work the concept of image
steganography using DPIS algorithm has been used and it addresses both transaction security and
phishing issues simultaneously.
The reason for choosing Steganography to enhance security in E-banking is because
Steganography hides the content of the message inside the digital medium. The main difference
between Cryptography and Steganography is Cryptography secures the secrecy of
communication and many methods have been developed to encrypt and decrypt the messages.
Unfortunately it is sometime not enough to keep the contents of message secret it may be also
necessary to keep the existence of message secret which is done by steganography.
Steganography involves hiding information inside any cover media (image or audio or video file)
such that it appears no message is hidden.
3 Dynamic Pattern Based Image Steganography Algorithm (DPIS)
Steganography is the art of hiding secret information in media such as image, audio and video
[4]. The purpose of steganography is to conceal the existence of the secret information in any
given digital medium. The following pseudo code explains clearly the proposed DPIS algorithm
[12] on RGB based Image steganography.

Embedding Part
Generate Indicator Sequence of any length
Get the Cover image
Get the Secret message to be embedded
For 1 to last _row
For 1 to last_col
Fix the Indicator Channel
If (Indicator channel is lowest)
Skip
Else
Find the lowest channel
Embed the secret message
bits
Mark the bits embedded in
rd
3 channel
End if
End For
End For

Extracting Part
Get the Indicator Sequence from embedding part
Get the Stego-Image
For 1 to last _row
For 1 to last_col
While (Entire bits not extracted = true)
Find the Indicator channel
If (Indicator channel is lowest)
Skip
Else
Find the data channel
Extract the bits embedded
End if
End While
End For
End For

4 DPIS algorithm in providing Transaction Security

4.1 Concept
In proposed method a new layer called stego-layer was introduced both in client and server
side. Any critical data passing to and from the client and server will pass through the stegolayer. The stego-layer uses Dynamic Pattern based Image Steganography algorithm for
embedding and extracting message which is explained in this section.
It is known that Internet banking is based on Client-Server architecture. The proposed stegolayer was introduced in both client and server sides for embedding and extracting process. The
idea behind DPIS technique is that significant color channels should not suffer from data
embedding while the insignificant color channel can be used for data embedding.
4.2 Architecture for Stego-layer Method
The below figure 1 depicts the architecture of Stego-layer method.

Browser

Client Stego Layer

E
m
b
e
d
d
i
n
g

Internet

Server Stego Layer

E
x
t
r
a
c
ti
n
g

Bank Server

Bank Database

Fig. 1. Architecture of proposed Stego-layer Method

4.3 Working Model of Transaction security using DPIS algorithm

The working model of proposed method is done. DPIS algorithm was implemented in MATLAB
and its executable is invoked in Web browser. Once the user submits his username and
password, the data is passed to stego layer. In stego-layer, DPIS embedding algorithm is invoked
and it embeds the user credentials using the key allocated for that particular user in to the image
called stego-image. Thus each customer has dynamic key and the allocated key will be changed
after certain period of time to strengthen the security.
The stego-image is passed to bank server through the internet. Once it reaches the server stego
layer, the embedded message is extracted using the symmetric key by DPIS algorithm. The
extracted user credentials are directed to a file and it is validated in the bank server.
5 Anti-Phishing Method using DPIS algorithm Plug-in
5.1 Concept
In anti-phishing technique using Steganography plug-in the Stego-Image generated by Dynamic
Pattern Based Image Steganography algorithm has been used. The banking website who wishes to
use this mechanism should have this stego-image in their banking website and they should
install the proposed anti-phishing plug-in in their browser. User on accessing the corresponding
banking website the plug-in will get automatically invoked and it extracts the secret message from
the stego-image. If it is matched then the site is considered to be legitimate site else the site is
considered as phishing site.

5.2 Architecture for Stego Anti-Phishing Plug-in

The following figure 2 depicts the architecture of Anti-Phishing Plug-in

Fig. 2. Architecture of proposed Anti-Phishing Plug-in

Steps involved in Steganography Plug-in have been described below
a) The bank website should choose one image as their choice and using any of the Image
Steganography algorithm embed any desired secret message in to the image.
b) The bank should incorporate the Stego-image which is obtained in step 1 in its website.
c) Any users who wish to access the banks website should install the Steganography plugin.
d) The Steganography plug-in will contain the code to locate the stego-image and to extract
the secret message embedded in step 1
e) If the extracted secret message from step 4 matches with the message present in
Steganography plug-in then the site which the user is accessing will be considered as
legitimate website.
f) If the extracted secret message from step 4 does not matches with the message present in
Steganography plug-in then the website is considered to Phished website.

5.3 Working Model of Anti-Phishing Plug-in using DPIS algorithm

The Steganography browser plug-in was in implemented in safari browser in MAC OS. The
advantages of the proposed Steganography Plug-in are listed below
a) Specific for website
b) New Steganography algorithm DPIS was involved for embedding and extracting the
message
c) Quick in responding whether the given website is legitimate or Phished site
d) Proposed method doesnt depend on the black list database for comparison of given URL
with already black listed URL.

6 Qualitative Analysis of DPIS algorithm in Internet Banking

There are many attacks in the literature survey for internet applications [5]. In proposed
mechanism Dynamic Pattern Based Image Steganography (DPIS) algorithm has been used for
strengthening both transaction security and Anti-Phishing mechanism, hence the DPIS algorithm
needs to be tested extensively. In this section the behaviour of common attacks in proposed DPIS
Steganography method has been analysed experimentally. The most common attacks are

Brute force

Extracting data from all pixels

Extracting same number of bits from data channels

Brute force attack on Indicator sequence: Brute force attacks for Stego-layer method [2] [3] [5]
involves in trying all possible keys until valid key is found. In dynamic pattern based image
steganography technique, indicator channel contains the information where the data are stored.
Intruder may try the brute force attack on indicator sequence until meaningful message is traced.
In all experiments length of indicator sequence is greater or equal to 20 so number of distinct
patterns generated is very high. For example if the indicator length is 20 the number of distinct
patterns generated is 7, 748, 40,978 and it is difficult to break by brute force attack.

The secret message shown in the Table 1 has been embedded in the cover medium by DPIS
technique Brute force attack has been applied on the indicator sequence for extracting message
from the stego image
Table 1: Embedded message and extracted message with wrong pixel indicator

Embedded Secret Message in cover medium

Pondicherry University Computer Science

Secret message obtained by wrong indicator

sequence

Dept
QibP(97u2q  < <] 4]nD
|:8*  ~v&N-F KKe W;'

The above experiment depicts that even if one value in the indicator sequence is incorrect,
embedded secret message cannot be extracted.
Extracting data from all the pixels sequentially: In Stego-layer method data are not embedded
in all the pixels sequentially. Some pixels in the sequence are missed in order to strengthen the
algorithm. The Table 2 shows the result of extracting data from all the pixels from stegoimage.
The embedded message in the image cannot be extracted without the key. Since the Key is
known only by the communicating parties the DPIS algorithm prevents Man in the middle attack
and Session Hijacking.
Table 2: Embedded Message and Extracted Message from all the pixels in the Stego Image

Embedded Secret Message in cover medium

Secret message obtained by extracting bits from all

pixels in stego image

Pondicherry University Computer

Science Dept

T+*m* -&#tKK`w0 -xy

Extracting same number of bits from all pixels: In the Stego-layer technique the number of bits
embedded in each pixel varies and it is decided during the run time. Experiments were conducted

for extracting same number of bits from all the pixels in the stegoimage generated by DPIS
technique. The Table 3 shows the result of extracting same number of bits from all the pixels
from stego-image.
Table 3: Embedded message and message extracted with uniform number of bits from pixels in
the stego image
Embedded Secret Message in cover medium

Pondicherry University
Computer Science Dept

Secret message from stego image obtained by

extracting 2 bits from all data channels

Sj Lc;G;? Cq chT =Y { w@SO`

=o `4' h |
*Hf#

7 Quantitative analyze of DPIS algorithm in Internet Banking

In Online banking the following parameters has been identified as the key features for
comparison. They are

Network Security

Transaction Security

Performance

Availability

Dependency

From previous section it has been proved that experimental results of DPIS algorithm perform
well in qualitative analysis. Currently we are focusing to compare the DPIS algorithm with other
different existing transaction security methods and anti-phishing methods quantitatively on
parameters such as performance, Integrity, Confidentiality, availability, System resources
utilization and non-repudiation.

References
[1] Alex Biryukov; Orr Dunkelman; Nathan Keller; Dmitry Khovratovich; Adi Shamir "Key Recovery Attacks
of Practical Complexity on AES Variants With Up To 10 Rounds" , 2009
[2] Anderson RJ, and Petitcolas FAP, On limits of steganography, IEEE Journals of selected areas in
communications , May 1998
[3] Andreas Westfeld , Andreas Pfitzmann, Attacks on Steganographic Systems, Proceedings of the Third
International Workshop on Information Hiding, p.61-76, September 29-October 01, 1999
[4] Bailey K, Curran K. An Evaluation of Image Based Steganography Methods Multimedia Tools &
Applications, Vol.30.No.1.pages 55-88 July 2006
[5] Christos K. Dimitriadis, Analyzing the Security of Internet Banking Authentication Mechanisms
Information Systems Control Journal, Volume 3, 2007
[6] Egwali Annie Oghenerukeyb et.al, Customers Perception of Security Indicators in Online Banking Sites in
Nigeria Journal of Internet Banking and Commerce, April 2009
[7] Geeta S Navale, Swati.S.Joshi, Aradhana A Deshmukh, M-banking Security a futuristic improved
Security approach, International journal of Computer Science Issues, Vol 7 Issue 1,No 2 , January 2010.
[8] Hiltgen A, Kramp T, Weigold T, (2006), Secure Internet Banking Authentication, IEEE Security and
Privacy, Vol. 4, No.2, 2006.
[9] Internet Banking in India-Part I - Dr A. K. Mishra http://www.banknetindia.com/banking/ibkg.htm
[10] Plossl K., Federrath H., Nowey T., Protection Mechanisms Against Phishing Attacks, in Trust, Privacy
and Security in Digital Business, Lecture Notes in Computer Science Volume 3592, Springer, 2005
[11] Svante Seleborg. About AES Advanced Encryption Standard www.axantum.com/axcrypt/etc/AboutAES.pdf, 2007
[12] Thiyagarajan P, Aghila G, Prasanna Venkatesan V, Dynamic Pattern Based Image Steganography,
Journal of Computing ISSN 2151-9617 Volume 3, Issue 2 February 2011.