Design and Implementation of Automated Steganography Image-Detection System for the KakaoTalk Instant Messenger

: As the popularity of social network service (SNS) messengers (such as Telegram, WeChat or KakaoTalk) grows rapidly, cyberattackers and cybercriminals start targeting them, and from various media, we can see numerous cyber incidents that have occurred in the SNS messenger platforms. Especially, according to existing studies, a novel type of botnet, which is the so-called steganography-based botnet (stego-botnet), can be constructed and implemented in SNS chat messengers. In the stego-botnet, by using various steganography techniques, every botnet communication and control (C&C) messages are secretly embedded into multimedia files (such as image or video files) frequently shared in the SNS messenger. As a result, the stego-botnet can hide its malicious messages between a bot master and bots much better than existing botnets by avoiding traditional botnet-detection methods without steganography-detection functions. Meanwhile, existing studies have focused on devising and improving steganography-detection algorithms but no studies conducted automated steganography image-detection system although there are a large amount of SNS chatrooms on the Internet and thus may exist many potential steganography images on those chatrooms which need to be inspected for security. Consequently, in this paper, we propose an automated system that detects steganography image files by collecting and inspecting all image files shared in an SNS chatroom based on open image steganography tools. In addition, we implement our proposed system based on two open steganography tools (Stegano and Cryptosteganography) in the KakaoTalk SNS messenger and show our experimental results that validate our proposed automated detection system work successfully according to our design purposes.


Introduction
Recently, the usage of social network service (SNS) applications is growing rapidly owing to the rapid advancement of mobile smartphones and 4G/5G wireless networks technologies. Meanwhile, cyberattackers start targeting smartphones with SNS applications [1][2][3]. In particular, many recent studies [4][5][6][7] report that cyberattackers can construct a stealthy botnet using steganography techniques in SNS instant messengers (SNS IMs) such as WeChat or KakaoTalk, and such novel type of the botnet is known as steganography-based botnet or stego-botnet [8,9].
According to our extensive survey, most stego-botnets use image steganography techniques [10][11][12][13]. In the image stego-botnet constructed in an SNS IM, a bot master sends its command and control (C&C) messages to bots in a stealthy way as follows [14,15]. First, the bot master hides a secret message containing its commands into a plain image file (cover image) by using an image steganography method or tool such as Steghide or Openstego, and shares the image file (stego-image) in an SNS

•
We proposed an automated detection model that can automatically collect and detect steganography image files shared in SNS IMs.

•
We implemented and constructed our proposed model in the KakaoTalk SNS IM platform; for automated detection, we used two open steganography tools (Stegano [21] and Cryptosteganography [22]) to examine whether collected image files from a KakaoTalk Chatroom contains secret hidden messages.

•
We show experimental results that validate our proposed automated detection system work successfully according to our design purpose.
The remainder of this paper is organized as follows. In Section 2, we overview traditional botnets, steganography-based botnets, and existing related studies. In Section 3, we propose and design an automated detection system of steganography images shared in the KakaoTalk chatroom. In Section 4, we implement our proposed system in the KakaoTalk SNS messenger and conduct experiments to show our proposed system work properly according to our design purpose. Finally, we conclude with our future research directions in Section 5.

Background and Related Works
Before proceeding with the above research, it is necessary to have a good understanding of existing botnets and steganography-based botnets. Therefore, this section overviews the existing bonnets and the response system, then introduces the steganography-based botnets, and then the steganography-based botnet in the KakaoTalk environment.

Overveiw of Traditional Botnets
Botnet refers to a large number of networked devices that are infected by malware and are under the control of the bot master [23]. Botnet is one of the most serious network threats in which the bot master with the authority to control the robots remotely controls infected hosts to carry out various cyberattacks, including DDoS, Ad-ware, Spyware, spam transmission, and illegal information gathering [23,24]. The existing botnet type is shown in Figure 1 [25]. The early botnets were mainly IRC botnets using the characteristics of the Internet Relay Chat (IRC) as shown in Figure 1a, whose structure is flexible and widely used. However, the disadvantage of IRC botnets is that they are easy to detect, which led to the appearance of HTTP-based botnets as shown in Figure 1b. Detecting botnets using HTTP is even more difficult because botnet traffic is hidden in a large amount of normal HTTP traffic [26,27]. However, since the traffic generated by botnets is different from normal HTTP traffic, it is possible to detect them by using filters that distinguish them [26][27][28]. In addition, HTTP botnets have a centralized structure in which C&C servers are responsible for both command and control, such as IRC botnets. Thus, they have the disadvantage of being neutralized when blocking C&C servers. To compensate for these shortcomings, P2P-evolved botnets have emerged, each of which becomes a C&C server. The structure of the P2P botnet is shown in Figure 1c, and all bots act as C&C servers [29,30]. This is a method of performing commands and controls in a distributed rather than centralized way, so even if one P2P botnet server is discovered, a botnet can be operated with other servers without being neutralized. However, for P2P botnets, the size of the supported groups (hosts) is much smaller than the existing centralized botnets. Centralized has thousands of hosts, but only a few dozen in the P2P model [29,30]. In addition, studies have suggested that P2P-based botnets can be detected through action-based or machine-learning-based detection methods [30], leading to the emergence of more advanced botnets to respond to this. Since then, among the more advanced botnets, botnets using SNS have appeared, and studies have been reported that botnets can be built on SNS messengers [31]. Some of these botnets use images to build botnets. When using images, there are botnets that use steganography technology, which are called steganography base botnets [32].
Computers 2020, 9, x FOR PEER REVIEW  3 of 14 gathering [23,24]. The existing botnet type is shown in Figure 1 [25]. The early botnets were mainly IRC botnets using the characteristics of the Internet Relay Chat (IRC) as shown in Figure 1a, whose structure is flexible and widely used. However, the disadvantage of IRC botnets is that they are easy to detect, which led to the appearance of HTTP-based botnets as shown in Figure 1b. Detecting botnets using HTTP is even more difficult because botnet traffic is hidden in a large amount of normal HTTP traffic [26,27]. However, since the traffic generated by botnets is different from normal HTTP traffic, it is possible to detect them by using filters that distinguish them [26][27][28]. In addition, HTTP botnets have a centralized structure in which C&C servers are responsible for both command and control, such as IRC botnets. Thus, they have the disadvantage of being neutralized when blocking C&C servers. To compensate for these shortcomings, P2P-evolved botnets have emerged, each of which becomes a C&C server. The structure of the P2P botnet is shown in Figure 1c, and all bots act as C&C servers [29,30]. This is a method of performing commands and controls in a distributed rather than centralized way, so even if one P2P botnet server is discovered, a botnet can be operated with other servers without being neutralized. However, for P2P botnets, the size of the supported groups (hosts) is much smaller than the existing centralized botnets. Centralized has thousands of hosts, but only a few dozen in the P2P model [29,30]. In addition, studies have suggested that P2P-based botnets can be detected through action-based or machine-learning-based detection methods [30], leading to the emergence of more advanced botnets to respond to this. Since then, among the more advanced botnets, botnets using SNS have appeared, and studies have been reported that botnets can be built on SNS messengers [31]. Some of these botnets use images to build botnets. When using images, there are botnets that use steganography technology, which are called steganography base botnets [32].

Steganography-Based Botnet (Stego-Botnet)
Unlike traditional botnets introduced in Section 2.1, a novel type of steganography-based botnet was proposed to improve the confidentiality of botnet C&C communication by hiding C&C communication messages to overcome the weaknesses of existing botnets. Steganography-based botnet (or Stego-botnet) uses steganography technology to hide the communication itself between the bot master and the bot so that it is not detected [31]. Figure 2 represents Stego-botnet, which uses IM/SNS as a relay server. The existing botnet communicates directly with the C&C server, bot master, and bots. However, Stego-botnet, which uses SNS, makes it more difficult to detect botnet by separating the bot master and bots [33]. The Bot master initially builds a botnet by utilizing known vulnerabilities held by PCs, smartphones, and IoT devices or by attacking them through social engineering. Subsequently, the attack command message posts or shares the hidden image on SNS, accesses the image posted by the bots, downloads it, and receives the attack order to perform it [34,35]. Because it hides messages with steganography technology during C&C communication, it is

Steganography-Based Botnet (Stego-Botnet)
Unlike traditional botnets introduced in Section 2.1, a novel type of steganography-based botnet was proposed to improve the confidentiality of botnet C&C communication by hiding C&C communication messages to overcome the weaknesses of existing botnets. Steganography-based botnet (or Stego-botnet) uses steganography technology to hide the communication itself between the bot master and the bot so that it is not detected [31]. Figure 2 represents Stego-botnet, which uses IM/SNS as a relay server. The existing botnet communicates directly with the C&C server, bot master, and bots. However, Stego-botnet, which uses SNS, makes it more difficult to detect botnet by separating the bot master and bots [33]. The Bot master initially builds a botnet by utilizing known vulnerabilities held by PCs, smartphones, and IoT devices or by attacking them through social engineering. Subsequently, the attack command message posts or shares the hidden image on SNS, accesses the image posted by the bots, downloads it, and receives the attack order to perform it [34,35]. Because it hides messages with steganography technology during C&C communication, it is no different from normal messages, so it can further avoid detection. Because it hides malicious messages in images and multimedia files that are distributed naturally on SNS, it is difficult to detect them with existing defense messages in images and multimedia files that are distributed naturally on SNS, it is difficult to detect them with existing defense systems. Nagaraja et al. [32] studied image steganography-based hidden communication model in SNS environment and Hiney et al. [36] focused on Facebook during the process of compressing image files that occur during communication to identify conditions where hidden messages are not destroyed.

Existing Studies Related to Stego-Botnets
First, there are a couple of studies on steganography-based botnets or covert channels in SNS services. Nagaraja et al. [32] first studied the possibility of establishing a steganography-based botnet in 2011. In 2019, Jeon and Cho [37] constructed and evaluated the performance of an image steganography-based botnet at the Kakaotalk SNS messenger which is the most popular in South Korea and has around 50 million users worldwide. KakaoTalk offers three chat modes: one-on-one chat, group chat, and open chat. In the case of open chat, up to 1500 users can participate anonymously in one chatroom. Since the KakaoTalk messenger provides the original file upload option in which a stego-image file can be shared safely without being damaged during the upload process [38], authors showed a possibility of constructing a stego-botnet based on the KakaoTalk open chat. Recently, Gasimove et al. [39] implemented covert channels to transfer hidden information over WhatsApp, which is the most popular IM in the world. While some researches on IMs have been conducted to point out the dangers of hacking IMs by using steganography, no corresponding studies have been identified.
Next, there are a couple of studies on countermeasures against steganography-based secret communication in SNS services as follows. Konstantinos et al. [40] extensively reviewed image steganalysis techniques for digital forensics. Natarajan et al. [41] conducted a research on detecting covert communication or botnets using steganography in SNS environments in 2012. In this study, host-based detection methods were proposed for steganography-based botnet detection. Specifically, assuming that stego images are uploaded to profiles on Facebook, the entropy of these images is trained by using machine learning techniques and detected stego-images by using an ensemble classifier. The same authors extended their work by adding the process of categorizing malicious profiles on SNS (Flickr) prior to the detection of stego images [42].
According to our survey, we observed that there are no studies that conduct automated system or techniques that detect steganography image files shared in SNS instant messengers. By this motivation, we in this study, propose an automated detection model and system that can automatically collect and detect steganography image files shared in SNS IMs.

Design of Automated Steganography Image-Detection System
In this section, we describe our automated steganography image-detection procedures in a KakaoTalk chatroom and then design the structure of our proposed system.

Automated Detection Procedure of Steganography Images Shared in a KakaoTalk Chatroom
Before we describe our automated detection procedure, we assume that a stego-botnet is already constructed in a KakaoTalk chatroom by an attacker (bot master) as shown in Figure 3. Thus, in this situation, the bot master periodically uploads stego-image files containing bot commands at the

Existing Studies Related to Stego-Botnets
First, there are a couple of studies on steganography-based botnets or covert channels in SNS services. Nagaraja et al. [32] first studied the possibility of establishing a steganography-based botnet in 2011. In 2019, Jeon and Cho [37] constructed and evaluated the performance of an image steganography-based botnet at the Kakaotalk SNS messenger which is the most popular in South Korea and has around 50 million users worldwide. KakaoTalk offers three chat modes: one-on-one chat, group chat, and open chat. In the case of open chat, up to 1500 users can participate anonymously in one chatroom. Since the KakaoTalk messenger provides the original file upload option in which a stego-image file can be shared safely without being damaged during the upload process [38], authors showed a possibility of constructing a stego-botnet based on the KakaoTalk open chat. Recently, Gasimove et al. [39] implemented covert channels to transfer hidden information over WhatsApp, which is the most popular IM in the world. While some researches on IMs have been conducted to point out the dangers of hacking IMs by using steganography, no corresponding studies have been identified.
Next, there are a couple of studies on countermeasures against steganography-based secret communication in SNS services as follows. Konstantinos et al. [40] extensively reviewed image steganalysis techniques for digital forensics. Natarajan et al. [41] conducted a research on detecting covert communication or botnets using steganography in SNS environments in 2012. In this study, host-based detection methods were proposed for steganography-based botnet detection. Specifically, assuming that stego images are uploaded to profiles on Facebook, the entropy of these images is trained by using machine learning techniques and detected stego-images by using an ensemble classifier. The same authors extended their work by adding the process of categorizing malicious profiles on SNS (Flickr) prior to the detection of stego images [42].
According to our survey, we observed that there are no studies that conduct automated system or techniques that detect steganography image files shared in SNS instant messengers. By this motivation, we in this study, propose an automated detection model and system that can automatically collect and detect steganography image files shared in SNS IMs.

Design of Automated Steganography Image-Detection System
In this section, we describe our automated steganography image-detection procedures in a KakaoTalk chatroom and then design the structure of our proposed system.

Automated Detection Procedure of Steganography Images Shared in a KakaoTalk Chatroom
Before we describe our automated detection procedure, we assume that a stego-botnet is already constructed in a KakaoTalk chatroom by an attacker (bot master) as shown in Figure 3. Thus, in this situation, the bot master periodically uploads stego-image files containing bot commands at the chatroom and victims (bots) read and download those stego-image files from the chatroom because the image files look normal and interesting to them. S1-S5 (see Figure 3). We note that S4 is implemented semi-automatically in Section 4. S1. Defender participates in a KakaoTalk chatroom that he/she wants to monitor by using his/her device (smartphone or PC).
S2. Defender reads and clicks all shared image files in the chatroom. S3. Then, image files are downloaded and saved at Defender's device (local storage). S4. Stored image copies are automatically and periodically transferred from Defender's device (local storage) to Defender's inspection server (this stage is called automated collection).
S5. All collected image files are examined by our detection system and report if there are steganography image files (this stage is called automated detection).

Design of Our Proposed System Model
To develop our proposed system that works as the steganography image-detection procedure as described in Section 3.1, we design our system that consists of two major components such as automated collection component (ACC) and automated detection component (ADC) as shown in Figure 4.
First, the automated collection component will automatically collect all image files shared at KakaoTalk chatrooms. We design the automated collection component as follows. When Defender reads and clicks image files shared at a chatroom, those files are stored in the local storage of the Defender's device (e.g., smartphone or PC). To move them from the Defender's smartphone to the inspection server, we used a smartphone-to-PC synchronization app (Foldersync [43]). The reason to use such method is as follows. Initially, we tried to transfer image files from a smartphone to a server by connecting them through a USB cable, but we failed because our testing smartphone (Samsung Galaxy S10 5G) uses media transfer protocol (MTP) method when it transfers data using a USB cable but unfortunately, it was restricted for our inspection server (PC) to access the storage of the We now describe our automated detection procedure to capture steganography image files shared by the bot master at the chatroom. The detection procedure consists of the following five steps S1-S5 (see Figure 3). We note that S4 is implemented semi-automatically in Section 4. S1. Defender participates in a KakaoTalk chatroom that he/she wants to monitor by using his/her device (smartphone or PC).
S2. Defender reads and clicks all shared image files in the chatroom. S3. Then, image files are downloaded and saved at Defender's device (local storage). S4. Stored image copies are automatically and periodically transferred from Defender's device (local storage) to Defender's inspection server (this stage is called automated collection).
S5. All collected image files are examined by our detection system and report if there are steganography image files (this stage is called automated detection).

Design of Our Proposed System Model
To develop our proposed system that works as the steganography image-detection procedure as described in Section 3.1, we design our system that consists of two major components such as automated collection component (ACC) and automated detection component (ADC) as shown in Figure 4.
First, the automated collection component will automatically collect all image files shared at KakaoTalk chatrooms. We design the automated collection component as follows. When Defender reads and clicks image files shared at a chatroom, those files are stored in the local storage of the Defender's device (e.g., smartphone or PC). To move them from the Defender's smartphone to the inspection server, we used a smartphone-to-PC synchronization app (Foldersync [43]). The reason to use such method is as follows. Initially, we tried to transfer image files from a smartphone to a server by connecting them through a USB cable, but we failed because our testing smartphone (Samsung Galaxy S10 5G) uses media transfer protocol (MTP) method when it transfers data using a USB cable but unfortunately, it was restricted for our inspection server (PC) to access the storage of the smartphone. On the other hand, we confirmed that it is feasible to use a smartphone-to-PC synchronization application for periodic file transfer from a smartphone to the inspection server. Moreover, we can select a synchronization cycle through the scheduled synchronization option which allows you to periodically transfer image files.
which allows you to periodically transfer image files.
Second, the automated detection component will automatically examine whether collected image files contain hidden steganography messages. As shown in Figure 4 (the right part), we design our automated detection component such that it can adopt more than one open steganographydetection software that provides API so that we can develop our steganography detection program based on it. There are numerous image steganography tools and methods which are available in the Internet [44,45] and we do not know what kind of tools will be used by the attacker. Thus, no single steganographic-detection method can detect steganography images perfectly. Consequently, this generic and scalable architecture of our proposed system will overcome the limited detection scope of a single steganography-detection tool, and thus it will extend the detection scope of our proposed system by integrating multiple open steganography software or tools. There are many available steganography tools that can be considered in our ADC such as Stegano, Cryptosteganography, Stegstamp, Stegonography, Stego, Stegbrute, Steganographer, and so on [21,22,46].

Implementation and Experiments
In this section, we describe how we implement our proposed system based on the system design explained in the previous section and then conduct experiments to show our proposed system accurately detects test steganography image samples and displays detection results. Second, the automated detection component will automatically examine whether collected image files contain hidden steganography messages. As shown in Figure 4 (the right part), we design our automated detection component such that it can adopt more than one open steganography-detection software that provides API so that we can develop our steganography detection program based on it. There are numerous image steganography tools and methods which are available in the Internet [44,45] and we do not know what kind of tools will be used by the attacker. Thus, no single steganographic-detection method can detect steganography images perfectly. Consequently, this generic and scalable architecture of our proposed system will overcome the limited detection scope of a single steganography-detection tool, and thus it will extend the detection scope of our proposed system by integrating multiple open steganography software or tools. There are many available steganography tools that can be considered in our ADC such as Stegano, Cryptosteganography, Stegstamp, Stegonography, Stego, Stegbrute, Steganographer, and so on [21,22,46].

Implementation and Experiments
In this section, we describe how we implement our proposed system based on the system design explained in the previous section and then conduct experiments to show our proposed system accurately detects test steganography image samples and displays detection results. Next, after locating all image files, we moved them to the inspection server. As we explained in Section 3.2, we used a synchronization app for android smartphones, which is a freeware Folder Sync version 3.0.17 [43] (see Figure 6a). Folder Sync supports various synchronization methods for Cloud, FTB, SMB, etc., and the collection period and schedule can be determined (see Figure 6b,c); we used the SMB option to implement our proposed system. If a server (PC) and a smartphone are located at the same Wi-Fi zone, all files in the specified folder of the smartphone are periodically moved to the folder specified in the server (PC) according to the pre-determined time interval.

Automated Collection Component (ACC)
(a) Next, after locating all image files, we moved them to the inspection server. As we explained in Section 3.2, we used a synchronization app for android smartphones, which is a freeware Folder Sync version 3.0.17 [43] (see Figure 6a). Folder Sync supports various synchronization methods for Cloud, FTB, SMB, etc., and the collection period and schedule can be determined (see Figure 6b,c); we used the SMB option to implement our proposed system. If a server (PC) and a smartphone are located at the same Wi-Fi zone, all files in the specified folder of the smartphone are periodically moved to the folder specified in the server (PC) according to the pre-determined time interval.

Automated Detection Component (ADC)
Once image files are collected by ACC, automatic detection component (ADC) examines whether the collected image files contain hidden steganography messages. As we explained in Section 3.2, we designed ADC which has a flexible architecture that can adopt multiple open steganography-detection software libraries in order to extend its detection scope easily.
To this end, we implemented ADC by using Python Programming Language (version 3.8) [48] according to its design as follows. Section 3.2, we used a synchronization app for android smartphones, which is a freeware Folder Sync version 3.0.17 [43] (see Figure 6a). Folder Sync supports various synchronization methods for Cloud, FTB, SMB, etc., and the collection period and schedule can be determined (see Figure 6b,c); we used the SMB option to implement our proposed system. If a server (PC) and a smartphone are located at the same Wi-Fi zone, all files in the specified folder of the smartphone are periodically moved to the folder specified in the server (PC) according to the pre-determined time interval.

Automated Detection Component (ADC)
Once image files are collected by ACC, automatic detection component (ADC) examines whether the collected image files contain hidden steganography messages. As we explained in Section 3.2, we designed ADC which has a flexible architecture that can adopt multiple open steganography-detection software libraries in order to extend its detection scope easily.
To this end, we implemented ADC by using Python Programming Language (version 3.8) [48] according to its design as follows.
First, ADC finds steganography image files from the collected files. Next, for each image file, ADC checks whether a hidden message can be extracted from the image file. For this, as shown in Figure 7, we integrated the detection function of an open steganography tool (Stegano version 0.9.8, Cryptosteganography version 0.8.3) into our ADC [21,22]; these steganography tools provides a source library of its steganography detection so that it can be easily integrated into our ADC. We note that our ADC can easily extend its detection capability by employing an open source steganography tools by this manner.  First, ADC finds steganography image files from the collected files. Next, for each image file, ADC checks whether a hidden message can be extracted from the image file. For this, as shown in Figure 7, we integrated the detection function of an open steganography tool (Stegano version 0.9.8, Cryptosteganography version 0.8.3) into our ADC [21,22]; these steganography tools provides a source library of its steganography detection so that it can be easily integrated into our ADC. We note that our ADC can easily extend its detection capability by employing an open source steganography tools by this manner.

Automated Detection Component (ADC)
Once image files are collected by ACC, automatic detection component (ADC) examines whether the collected image files contain hidden steganography messages. As we explained in Section 3.2, we designed ADC which has a flexible architecture that can adopt multiple open steganography-detection software libraries in order to extend its detection scope easily.
To this end, we implemented ADC by using Python Programming Language (version 3.8) [48] according to its design as follows.
First, ADC finds steganography image files from the collected files. Next, for each image file, ADC checks whether a hidden message can be extracted from the image file. For this, as shown in Figure 7, we integrated the detection function of an open steganography tool (Stegano version 0.9.8, Cryptosteganography version 0.8.3) into our ADC [21,22]; these steganography tools provides a source library of its steganography detection so that it can be easily integrated into our ADC. We note that our ADC can easily extend its detection capability by employing an open source steganography tools by this manner. Second, our ADC periodically conducts the above detection procedure because image files are uploaded frequently at the chatroom. As shown in Figure 8, ADC can adjust its detection cycle by Second, our ADC periodically conducts the above detection procedure because image files are uploaded frequently at the chatroom. As shown in Figure 8, ADC can adjust its detection cycle by Computers 2020, 9, 103 9 of 14 setting the Thread timer to a certain value (e.g., every 300 s). This function enables ADC to periodically check and examine recently shared image files.
Computers 2020, 9, x FOR PEER REVIEW 9 of 14 setting the Thread timer to a certain value (e.g., every 300 s). This function enables ADC to periodically check and examine recently shared image files. Last, ADC displays its examination results periodically. As shown in Figure 9b, the examination results include inspection number, inspection results by two open steganography tools (Y (if detected) or N (if not detected)), hidden message (if each tool can extract it), and inspected filename. In addition, ADC displays inspection start time and we use this information to calculate inspection processing time later in our experiments.  Last, ADC displays its examination results periodically. As shown in Figure 9b, the examination results include inspection number, inspection results by two open steganography tools (Y (if detected) or N (if not detected)), hidden message (if each tool can extract it), and inspected filename. In addition, ADC displays inspection start time and we use this information to calculate inspection processing time later in our experiments.
Computers 2020, 9, x FOR PEER REVIEW 9 of 14 setting the Thread timer to a certain value (e.g., every 300 s). This function enables ADC to periodically check and examine recently shared image files. Last, ADC displays its examination results periodically. As shown in Figure 9b, the examination results include inspection number, inspection results by two open steganography tools (Y (if detected) or N (if not detected)), hidden message (if each tool can extract it), and inspected filename. In addition, ADC displays inspection start time and we use this information to calculate inspection processing time later in our experiments.

Experimental Purpose and Methods
In this experiment, we demonstrate that our implemented system can work properly according to our design by automatically and periodically collecting image files from a KakaoTalk chatroom, detecting sample steganography image files from the collected files, and displaying inspection results. Table 1 shows our experimental environment. For the Defender's smartphone and inspection server, we used one Samsung Galaxy S10 smartphone and one laptop (Lenovo Ideapad), respectively. For the SNS chatroom, we used the KakaoTalk IM mobile application. We implemented our ACC and ADC by using the Python Programming Language ver. 3.8, Folder sync ver. 3.0.16, and two open steganography modules (Stegano ver. 0.9.8. and Cryptosteganography ver. 0.8.3). In addition, we prepared 40 sample images (BMP and PNG format), and we used 20% of sample images (8 images) as stego-images by embedding a hidden message "Secret" by using Stegano and Cryptosteganography. Figure 10 shows our sample images (32 normal images and 8 stego-images). All these images have the same resolution (640 × 420 pixel). We conducted our experiment as follows. First, we created a KakaoTalk chatroom. Next, the Defender (smartphone) with our proposed system (ACC) joined the chatroom. Then we uploaded 40 sample images randomly for two hours (120 min) to the KakaoTalk chatroom; to ease our analysis, we uploaded four stego-images by Stegano between 1st and 20th turn and four stego-images by Stegano between 21st and 40th turn. The ACC and ADC were set to collect and inspect sample images every 15 min, respectively. Thus, ACC and ADC operate 8 times for two hours to collect and inspect uploaded images in the chatroom, and we observed the upload turns of stego-images were 1st, 4th, 13rd, 18th, 23rd, 29th, 33rd, and 38th; the first four images were made by Stegano and the remaining four images were made by Cryptosteganography. We will confirm these stego-images were correctly detected by our ADC.
Computers 2020, 9, x FOR PEER REVIEW 10 of 14

Experimental Purpose and Methods
In this experiment, we demonstrate that our implemented system can work properly according to our design by automatically and periodically collecting image files from a KakaoTalk chatroom, detecting sample steganography image files from the collected files, and displaying inspection results. Table 1 shows our experimental environment. For the Defender's smartphone and inspection server, we used one Samsung Galaxy S10 smartphone and one laptop (Lenovo Ideapad), respectively. For the SNS chatroom, we used the KakaoTalk IM mobile application. We implemented our ACC and ADC by using the Python Programming Language ver. 3.8, Folder sync ver. 3.0. 16, and two open steganography modules (Stegano ver. 0.9.8. and Cryptosteganography ver. 0.8.3). In addition, we prepared 40 sample images (BMP and PNG format), and we used 20% of sample images (8 images) as stego-images by embedding a hidden message "Secret" by using Stegano and Cryptosteganography. Figure 10 shows our sample images (32 normal images and 8 stego-images). All these images have the same resolution (640 × 420 pixel).
We conducted our experiment as follows. First, we created a KakaoTalk chatroom. Next, the Defender (smartphone) with our proposed system (ACC) joined the chatroom. Then we uploaded 40 sample images randomly for two hours (120 min) to the KakaoTalk chatroom; to ease our analysis, we uploaded four stego-images by Stegano between 1st and 20th turn and four stego-images by Stegano between 21st and 40th turn. The ACC and ADC were set to collect and inspect sample images every 15 min, respectively. Thus, ACC and ADC operate 8 times for two hours to collect and inspect uploaded images in the chatroom, and we observed the upload turns of stego-images were 1st, 4th, 13rd, 18th, 23rd, 29th, 33rd, and 38th; the first four images were made by Stegano and the remaining four images were made by Cryptosteganography. We will confirm these stego-images were correctly detected by our ADC.

Experimental Results and Analysis
We now explain the results of our experiment. When 40 images were uploaded, ACC copied and transferred them directly to the inspection server every 15 min as we set. Figure 11 shows the inspection result by our ADC. For each inspected file, our ADC displayed the inspection result such that "N" for normal image and "Y" for stego-image. Among the 40 sample images, 8 stego-images (1st, 4th, 13rd, 18th, 23rd, 29th, 33rd, and 38th) were correctly detected with the existence of a steganographic hidden message in image files by both steganography modules, and the remaining normal images were not detected. However, Cryptosteganography failed in extracting the hidden message from the first four stego-images files. On the other hand, Stegano extracted a message which is incomprehensible from the remaining four stego-images files.
Computers 2020, 9, x FOR PEER REVIEW 11 of 14

Experimental Results and Analysis
We now explain the results of our experiment. When 40 images were uploaded, ACC copied and transferred them directly to the inspection server every 15 min as we set. Figure 11 shows the inspection result by our ADC. For each inspected file, our ADC displayed the inspection result such that "N" for normal image and "Y" for stego-image. Among the 40 sample images, 8 stego-images (1st, 4th, 13rd, 18th, 23rd, 29th, 33rd, and 38th) were correctly detected with the existence of a steganographic hidden message in image files by both steganography modules, and the remaining normal images were not detected. However, Cryptosteganography failed in extracting the hidden message from the first four stego-images files. On the other hand, Stegano extracted a message which is incomprehensible from the remaining four stego-images files. The summary of our experiment is shown in Table 2. For each collection interval (the total number of intervals is 8), we can see the number of collected/inspected files and inspection result (time taken to inspect, the number of normal images, and the number of stego-images). Specifically, during our experiment (two hours), 40 sample image files were collected and inspected every fifteen minutes with ACC and ADC. For example, for the first interval, four images are collected and inspected, and the inspection result shows that two images (1st and 4th images) are detected as steganography images correctly for 7 s (the average time per file is 1.75 s). For the second interval, six new images are collected but 10 images including four images collected in the previous interval are inspected together. Consequently, the time taken to inspect grows as the collection interval increases. When the all 40 files are inspected after eight intervals, 8 stego-images were detected correctly, and the average inspection time per file was 2.73 s. Therefore, we confirm that our system works properly according to our design purposes. The summary of our experiment is shown in Table 2. For each collection interval (the total number of intervals is 8), we can see the number of collected/inspected files and inspection result (time taken to inspect, the number of normal images, and the number of stego-images). Specifically, during our experiment (two hours), 40 sample image files were collected and inspected every fifteen minutes with ACC and ADC. For example, for the first interval, four images are collected and inspected, and the inspection result shows that two images (1st and 4th images) are detected as steganography images correctly for 7 s (the average time per file is 1.75 s). For the second interval, six new images are collected but 10 images including four images collected in the previous interval are inspected together. Consequently, the time taken to inspect grows as the collection interval increases. When the all 40 files are inspected after eight intervals, 8 stego-images were detected correctly, and the average inspection time per file was 2.73 s. Therefore, we confirm that our system works properly according to our design purposes.

Conclusions and Future Works
In this paper, to defend against image steganography-based C&C communication in an SNS chatroom, we proposed, designed, and implemented an automated steganography image-detection system for the KakaoTalk instant messenger. Our proposed system automatically and periodically collects shared image files in a KakaoTalk chatroom to the inspection server, and then examine whether the collected image files contain hidden messages and display the inspection results.
In our future work, we plan to extend our research as follows. First, we will study a method that can trace a bot master in an SNS chatroom, especially in a public chatroom where participants can hide their identities by using nicknames. Tracing a bot master is a very important research issue, but challenging because of the limitation that we can obtain information about the bot master hiding its identity at the chatroom. Second, we will extend our study by considering other SNS IMs such as WeChat or Telegram and other open steganography-detection tools to broaden and strengthen our proposed system's detection capability. Third, our ACC (automated collection component) has a limitation such that it depends on a third party software (FolderSync). We will develop a Python module that automatically locates folders in a smartphone and transfers image files in the folders to our inspection server. Last, we will study a prevention method that can be combined with our detection system to effectively prevent those files from being spread to other SNS chatrooms.