Xinyun Chen,Wenxiao Wang,Yiming Ding,Chris Bender,R. Jia,Bo Li,D. Song

2019-01-01

Abstract:Deep neural networks have achieved tremendous success in various fields; however, training these models from scratch could be computationally expensive and requires a lot of training data. Therefore, recent work has explored different watermarking techniques to protect the pre-trained deep neural networks from potential copyright infringements. Although several existing techniques could effectively embed such watermarks into the DNNs, they could be vulnerable to adversaries who aim at removing the watermarks. In this work, we demonstrate that a carefullydesigned fine-tuning method enables the adversary with limited training data to effectively remove the watermarks, without compromising the model functionality. In particular, leveraging auxiliary unlabeled data significantly decreases the amount of labeled training data needed for effective watermark removal, even if the unlabeled data samples are not drawn from the same distribution as the benign data for model evaluation.

Hanzhou Wu,Gen Liu,Yuwei Yao,Xinpeng Zhang

DOI: https://doi.org/10.1109/tcsvt.2020.3030671

IF: 5.859

2020-01-01

IEEE Transactions on Circuits and Systems for Video Technology

Abstract:Watermarking neural networks is a quite important means to protect the intellectual property (IP) of neural networks. In this paper, we introduce a novel digital watermarking framework suitable for deep neural networks that output images as the results, in which any image outputted from a watermarked neural network must contain a certain watermark. Here, the host neural network to be protected and a watermark-extraction network are trained together, so that, by optimizing a combined loss function, the trained neural network can accomplish the original task while embedding a watermark into the outputted images. This work is totally different from previous schemes carrying a watermark by network weights or classification labels of the trigger set. By detecting watermarks in the outputted images, this technique can be adopted to identify the ownership of the host network and find whether an image is generated from a certain neural network or not. We demonstrate that this technique is effective and robust on a variety of image processing tasks, including image colorization, super-resolution, image editing, semantic segmentation and so on.

Zhenfei Wang,Nengchao Wang,Baochang Shi

DOI: https://doi.org/10.1109/wcica.2006.1712921

2006-01-01

Abstract:This paper proposes a novel digital watermarking technique based on neural networks in wavelet domain. Watermark embed processing is carried out by transforming the host image in wavelet domain. Watermark bits are added to the significant coefficients of wavelet selected by considering the human visual system (HVS) characteristics. Because of the learning and adaptive capabilities of neural networks, the trained neural networks can exactly recover the watermark from the watermarked image. Extensive experiments show that our technique possesses significant robustness to be against the various attacks

Wang Zhenfei,Zhai Guangqun,Wang Nengchao

DOI: https://doi.org/10.1007/bf02831846

2006-01-01

Wuhan University Journal of Natural Sciences

Abstract:An effective blind digital watermarking algorithm based on neural networks in the wavelet domain is presented. Firstly, the host image is decomposed through wavelet transform. The significant coefficients of wavelet are selected according to the human visual system (HVS) characteristics. Watermark bits are added to them. And then effectively cooperates neural networks to learn the characteristics of the embedded watermark related to them. Because of the learning and adaptive capabilities of neural networks, the trained neural networks almost exactly recover the watermark from the watermarked image. Experimental results and comparisons with other techniques prove the effectiveness of the new algorithm.

Wang Zhenfei,Song Shengli

DOI: https://doi.org/10.3969/j.issn.1003-7985.2007.02.012

2007-01-01

Abstract:A novel blind digital watermarking algorithm based on neural networks and multiwavelet transform is presented. The host image is decomposed through multiwavelet transform. There are four subblocks in the LL-level of the multiwavelet domain and these subblocks have many similarities. Watermark bits are added to lowfrequency coefficients. Because of the learning and adaptive capabilities of neural networks, the trained neural networks almost exactly recover the watermark from the watermarked image. Experimental results demonstrate that the new algorithm is robust against a variety of attacks, especially, the watermark extraction does not require the original image.

Sulong Ge,Zhihua Xia,Jianwei Fei,Yao Tong,Jian Weng,Ming Li

DOI: https://doi.org/10.1007/s11042-023-15048-y

IF: 2.577

2023-01-01

Multimedia Tools and Applications

Abstract:Watermarking is an important copyright protection technology which generally embeds the identity information into the carrier imperceptibly. Then the identity can be extracted to prove the copyright from the watermarked carrier even after suffering various attacks. Most of the existing watermarking technologies take the nature images as carriers. Different from the natural images, document images are not so rich in color and texture, and thus have less redundant information to carry watermarks. This paper proposes an end-to-end document image watermarking scheme using the deep neural network. Specifically, an encoder and a decoder are designed to embed and extract the watermark. A noise layer is added to simulate the various attacks that could be encountered in reality, such as the Cropout, Dropout, Gaussian blur, Gaussian noise, Resize, and JPEG Compression. A text-sensitive loss function is designed to limit the embedding modification on characters. An embedding strength adjustment strategy is proposed to improve the quality of watermarked image with little loss of extraction accuracy. Experimental results show that the proposed document image watermarking technology outperforms three state-of-the-art methods in terms of the robustness and image quality.

Wenbo Zheng,Shaocong Mo,Xin Jin,Yili Qu,Fei Deng,Jia Shuai,Zefeng Xie,Chengfeng Zheng,Sijie Long

DOI: https://doi.org/10.1109/iciea.2018.8397898

2018-01-01

Abstract:Digital watermarking technology is of great importance to protect the copyright of the owners and authenticate the security of the media. As digital images are vulnerable to some common attacks during transmission, it is very necessary to design a watermarking algorithm which can resist all kinds of common attacks. Nowadays, most of the watermarking algorithms published rely much on the locations of the pixels for watermark embedding, which results in less robustness. And some algorithms took some measures to increase the ability to resist attacks, but the measures taken limited the algorithm in watermark embedding capacity. In this paper, a robust watermarking algorithm based on convolution neural network (CNN) is proposed. We introduce discrete wavelet transform (DWT) technology and singular value decomposition (SVD) technology, to achieve the embedding process of watermark. The network is established in the spatial domain based on the pixels' relationships of watermark, host image and watermarked image. After that, The pixels of the watermarked image are lightly modified with the network. In addition, some attacks are taken to the watermarked image. Simulation shows that proposed algorithm has good performance, the watermark extracted can be clearly identified.

Qun-Ting Yang,Tie-Gang Gao,Li Fan

DOI: https://doi.org/10.1109/iciss.2010.5655017

2010-01-01

Abstract:A color image oblivious watermarking scheme based on neural network and discrete wavelet transform (DWT) is proposed in this paper. Three identical watermarks and some different expanded bit streams are adaptively embedded into the low frequency sub-bands generated from three channels for a color image, respectively. Due to the adaptive learning capabilities of neural network, the expanded bit streams could be used to train back propagation (BP) neural networks to represent the relationship among the neighbor wavelet coefficients. Based on the trained neural networks, three watermarking results can be extracted and then are voted to decide the final watermark. Extensive experiments illustrate that the new scheme possesses good robustness against different attacks including noise addition, shearing, scaling, luminance and distortion. And what's more, the scheme has excellent performance in term of imperceptibility and resistance to JPEG compression.

Xin Zhong,Pei-Chi Huang,Spyridon Mastorakis,Frank Y. Shih

DOI: https://doi.org/10.48550/arXiv.2007.02460

2020-07-06

Abstract:Digital image watermarking is the process of embedding and extracting a watermark covertly on a cover-image. To dynamically adapt image watermarking algorithms, deep learning-based image watermarking schemes have attracted increased attention during recent years. However, existing deep learning-based watermarking methods neither fully apply the fitting ability to learn and automate the embedding and extracting algorithms, nor achieve the properties of robustness and blindness simultaneously. In this paper, a robust and blind image watermarking scheme based on deep learning neural networks is proposed. To minimize the requirement of domain knowledge, the fitting ability of deep neural networks is exploited to learn and generalize an automated image watermarking algorithm. A deep learning architecture is specially designed for image watermarking tasks, which will be trained in an unsupervised manner to avoid human intervention and annotation. To facilitate flexible applications, the robustness of the proposed scheme is achieved without requiring any prior knowledge or adversarial examples of possible attacks. A challenging case of watermark extraction from phone camera-captured images demonstrates the robustness and practicality of the proposal. The experiments, evaluation, and application cases confirm the superiority of the proposed scheme.

Multimedia,Machine Learning

Jingxuan Tan,Nan Zhong,Zhenxing Qian,Xinpeng Zhang,Sheng Li

DOI: https://doi.org/10.1145/3581783.3612515

2023-01-01

Abstract:Deep neural network (DNN) watermarking is an emerging technique to protect the intellectual property of deep learning models. At present, many DNN watermarking algorithms have been proposed to achieve provenance verification by embedding identify information into the internals or prediction behaviors of the host model. However, most methods are vulnerable to model extraction attacks, where attackers collect output labels from the model to train a surrogate or a replica. To address this issue, we present a novel DNN watermarking approach, named SSW, which constructs an adaptive trigger set progressively by optimizing over a pair of symmetric shadow models to enhance the robustness to model extraction. Precisely, we train a positive shadow model supervised by the prediction of the host model to mimic the behaviors of potential surrogate models. Additionally, a negative shadow model is normally trained to imitate irrelevant independent models. Using this pair of shadow models as a reference, we design a strategy to update the trigger samples appropriately such that they tend to persist in the host model and its stolen copies. Moreover, our method could well support two specific embedding schemes: embedding the watermark via fine-tuning or from scratch. Our extensive experimental results on popular datasets demonstrate that our SSW approach outperforms state-of-the-art methods against various model extraction attacks in whether trigger set classification accuracy based or hypothesis test based verification. The results also show that our method is robust to common model modification schemes including fine-tuning and model compression.

Guanhui Ye,Jiashi Gao,Wei Xie,Bo Yin,Xuetao Wei

DOI: https://doi.org/10.48550/arXiv.2210.13801

2022-11-16

Abstract:Image watermarking is a technique for hiding information into images that can withstand distortions while requiring the encoded image to be perceptually identical to the original image. Recent work based on deep neural networks (DNN) has achieved impressive progression in digital watermarking. Higher robustness under various distortions is the eternal pursuit of digital image watermarking approaches. In this paper, we propose DBMARK, a novel end-to-end digital image watermarking framework to deep boost the robustness of DNN-based image watermarking. The key novelty is the synergy of invertible neural networks (INN) and effective watermark features generation. The framework generates watermark features with redundancy and error correction ability through the effective neural network based message processor, synergized with the powerful information embedding and extraction abilities of INN to achieve higher robustness and invisibility. The powerful learning ability of neural networks enables the message processor to adapt to various distortions. In addition, we propose to embed the watermark information in the discrete wavelet transform (DWT) domain and design low-low (LL) sub-band loss to enhance invisibility. Extensive experiment results demonstrate the superiority of the proposed framework compared with the state-of-the-art ones under various distortions such as dropout, cropout, crop, Gaussian filter, and JPEG compression.

Computer Vision and Pattern Recognition,Cryptography and Security

Xuan Wang,Yuliang Lu,Xuehu Yan,Long Yu

DOI: https://doi.org/10.3390/s22093489

2022-01-01

Abstract:In recent years, the wide application of deep neural network models has brought serious risks of intellectual property rights infringement. Embedding a watermark in a network model is an effective solution to protect intellectual property rights. Although researchers have proposed schemes to add watermarks to models, they cannot prevent attackers from adding and overwriting original information, and embedding rates cannot be quantified. Therefore, aiming at these problems, this paper designs a high embedding rate and tamper-proof watermarking scheme. We employ wet paper coding (WPC), in which important parameters are regarded as wet blocks and the remaining unimportant parameters are regarded as dry blocks in the model. To obtain the important parameters more easily, we propose an optimized probabilistic selection strategy (OPSS). OPSS defines the unimportant-level function and sets the importance threshold to select the important parameter positions and to ensure that the original function is not affected after the model parameters are changed. We regard important parameters as an unmodifiable part, and only modify the part that includes the unimportant parameters. We selected the MNIST, CIFAR-10, and ImageNet datasets to test the performance of the model after adding a watermark and to analyze the fidelity, robustness, embedding rate, and comparison schemes of the model. Our experiment shows that the proposed scheme has high fidelity and strong robustness along with a high embedding rate and the ability to prevent malicious tampering.

Alireza Tavakoli,Zahra Honjani,Hedieh Sajedi

DOI: https://doi.org/10.48550/arXiv.2210.06179

2022-10-29

Abstract:With the growing popularity of the Internet, digital images are used and transferred more frequently. Although this phenomenon facilitates easy access to information, it also creates security concerns and violates intellectual property rights by allowing illegal use, copying, and digital content theft. Using watermarks in digital images is one of the most common ways to maintain security. Watermarking is proving and declaring ownership of an image by adding a digital watermark to the original image. Watermarks can be either text or an image placed overtly or covertly in an image and are expected to be challenging to remove. This paper proposes a combination of convolutional neural networks (CNNs) and wavelet transforms to obtain a watermarking network for embedding and extracting watermarks. The network is independent of the host image resolution, can accept all kinds of watermarks, and has only 11 layers while keeping performance. Performance is measured by two terms; the similarity between the extracted watermark and the original one and the similarity between the host image and the watermarked one.

Image and Video Processing,Cryptography and Security,Computer Vision and Pattern Recognition

Xin Zhong,Frank Y. Shih

DOI: https://doi.org/10.1109/TMM.2020.3006415

2019-08-30

Abstract:Digital image watermarking is the process of embedding and extracting watermark covertly on a carrier image. Incorporating deep learning networks with image watermarking has attracted increasing attention during recent years. However, existing deep learning-based watermarking systems cannot achieve robustness, blindness, and automated embedding and extraction simultaneously. In this paper, a fully automated image watermarking system based on deep neural networks is proposed to generalize the image watermarking processes. An unsupervised deep learning structure and a novel loss computation are proposed to achieve high capacity and high robustness without any prior knowledge of possible attacks. Furthermore, a challenging application of watermark extraction from camera-captured images is provided to validate the practicality as well as the robustness of the proposed system. Experimental results show the superiority performance of the proposed system as comparing against several currently available techniques.

Multimedia,Computer Vision and Pattern Recognition,Machine Learning,Image and Video Processing

Xiangyu Wen,Yu Li,Wei Jiang,Qiang Xu

DOI: https://doi.org/10.48550/arXiv.2302.10296

2023-04-02

Abstract:Well-performed deep neural networks (DNNs) generally require massive labelled data and computational resources for training. Various watermarking techniques are proposed to protect such intellectual properties (IPs), wherein the DNN providers implant secret information into the model so that they can later claim IP ownership by retrieving their embedded watermarks with some dedicated trigger inputs. While promising results are reported in the literature, existing solutions suffer from watermark removal attacks, such as model fine-tuning and model pruning. In this paper, we propose a novel DNN watermarking solution that can effectively defend against the above attacks. Our key insight is to enhance the coupling of the watermark and model functionalities such that removing the watermark would inevitably degrade the model's performance on normal inputs. To this end, unlike previous methods relying on secret features learnt from out-of-distribution data, our method only uses features learnt from in-distribution data. Specifically, on the one hand, we propose to sample inputs from the original training dataset and fuse them as watermark triggers. On the other hand, we randomly mask model weights during training so that the information of our embedded watermarks spreads in the network. By doing so, model fine-tuning/pruning would not forget our function-coupled watermarks. Evaluation results on various image classification tasks show a 100\% watermark authentication success rate under aggressive watermark removal attacks, significantly outperforming existing solutions. Code is available: <a class="link-external link-https" href="https://github.com/cure-lab/Function-Coupled-Watermark" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition,Artificial Intelligence,Machine Learning

Hongbo Xü,Rong Wang,Jia Wang,Shaoping Lu

DOI: https://doi.org/10.48550/arxiv.2112.13491

2021-01-01

Abstract:Digital image watermarking seeks to protect the digital media information from unauthorized access, where the message is embedded into the digital image and extracted from it, even some noises or distortions are applied under various data processing including lossy image compression and interactive content editing. Traditional image watermarking solutions easily suffer from robustness when specified with some prior constraints, while recent deep learning-based watermarking methods could not tackle the information loss problem well under various separate pipelines of feature encoder and decoder. In this paper, we propose a novel digital image watermarking solution with a compact neural network, named Invertible Watermarking Network (IWN). Our IWN architecture is based on a single Invertible Neural Network (INN), this bijective propagation framework enables us to effectively solve the challenge of message embedding and extraction simultaneously, by taking them as a pair of inverse problems for each other and learning a stable invertible mapping. In order to enhance the robustness of our watermarking solution, we specifically introduce a simple but effective bit message normalization module to condense the bit message to be embedded, and a noise layer is designed to simulate various practical attacks under our IWN framework. Extensive experiments demonstrate the superiority of our solution under various distortions.

Wei Zhang,Wenxue Cui,Feng Jiang,Chifu Yang,Ran Li

DOI: https://doi.org/10.1109/trustcom53373.2021.00028

2021-01-01

Abstract:Deep neural network (DNN), as a key component of deep learning technology, plays a vital role in its development. Most major technology companies use deep neural network as a key component to build their artificial intelligence products and service. Building a deep neural network model requires us to pay a huge price: large-scale labeled data sets, a large number of computing resources, and highly specialized domain knowledge. Therefore, we believe that the model owner owns the intellectual property rights of the model, and it is very important to design a technology that protects the intellectual property rights of the deep neural network model and allows the owner to externally verify its copyright. Through statistical analysis of a large number of pre-trained network parameters, we propose an end-to-end network model protection framework-Deep Water based on the distribution of network model parameters. First, we propose a new research problem: embedding watermarks into deep neural networks. We also define the requirements for watermarking in deep neural networks, the embedding situation, and the types of attacks. Secondly, we propose a general framework for embedding the watermark into the parameter distribution function of each layer of the convolutional network. Our method does not harm the performance of the network where the watermark is placed, because the watermark is embedded when the host network is trained. Finally, we conducted a comprehensive experiment to reveal the potential of watermarking deep neural networks as the basis for this new research work. We proved that our framework can embed watermarks in the process of training deep neural networks from scratch and in the process of fine-tuning and distillation without compromising its performance. Even after migration learning and watermark overlay operations, the embedded watermark will not disappear. Even if 65% of the parameters are trimmed, the watermark remains intact.

Jian Zhao,Mingquan Zhou,Hongmei Xie,Jinye Peng,Xin Zhou

DOI: https://doi.org/10.1007/978-3-540-28648-6_106

2004-01-01

Abstract:Digital watermarks have been proposed in recent literature as a means for copyright protection of multimedia data. In the absence of standardization and specific requirements imposed on watermarking procedures, anyone can claim ownership of any watermarked images. In order to protect against these counterfeiting techniques, we examine the properties that are necessary for resolving ownership via invisible watermarking. A method for watermarking of chaos and neural network is proposed in this paper. The watermark is embedded in the wavelet descriptors. Watermarks generated by this nonlinear technique can be successfully detected even after rotation, translation, scaling. And watermarks of our scheme are good at protecting from many kind watermark attacks. The experimental results demonstrate that the watermark is useful and practical.

Meng Li,Qi Zhong,Leo Yu Zhang,Yajuan Du,Jun Zhang,Yong Xiangt,Yong Xiang

DOI: https://doi.org/10.1109/trustcom50675.2020.00062

2020-12-01

Abstract:Similar to other digital assets, deep neural network (DNN) models could suffer from piracy threat initiated by insider and/or outsider adversaries due to their inherent commercial value. DNN watermarking is a promising technique to mitigate this threat to intellectual property. This work focuses on black-box DNN watermarking, with which an owner can only verify his ownership by issuing special trigger queries to a remote suspicious model. However, informed attackers, who are aware of the watermark and somehow obtain the triggers, could forge fake triggers to claim their ownerships since the poor robustness of triggers and the lack of correlation between the model and the owner identity. This consideration calls for new watermarking methods that can achieve better trade-off for addressing the discrepancy. In this paper, we exploit frequency domain image watermarking to generate triggers and build our DNN watermarking algorithm accordingly. Since watermarking in the frequency domain is high concealment and robust to signal processing operation, the proposed algorithm is superior to existing schemes in resisting fraudulent claim attack. Besides, extensive experimental results on 3 datasets and 8 neural networks demonstrate that the proposed DNN watermarking algorithm achieves similar performance on functionality metrics and better performance on security metrics when compared with existing algorithms.

Ming Cao,Ying Huang,Hu Guan,Hua Chun Song,Ning Bao Niu,Jie Liu

DOI: https://doi.org/10.1145/3638884.3638905

2024-01-01

Abstract:Recently, the application of deep learning in the field of image watermarking has gained increasing attention. Image watermarking is a technology used to protect the copyright and content integrity of images against piracy and tampering by embedding recognizable identifying information in the image. Deep learning models enable efficient image watermark embedding and extraction by automatically learning the features and structure of image. This paper summarizes the research work related to deep learning image watermarking in recent years. Firstly, this paper introduces the basic framework and design requirements of deep learning-based image watermarking. Subsequently, this paper categorizes and provides detailed descriptions of different modules within the watermarking framework. Then, this paper summarizes and compares the robustness performance of various deep watermarking models. Finally, this paper analyzes the future development prospects of deep learning-based image watermarking.