Guanlin Li,Yifei Chen,Jie Zhang,Jiwei Li,Shangwei Guo,Tianwei Zhang

DOI: https://doi.org/10.48550/arxiv.2310.07726

2023-01-01

Abstract:AI-Generated Content (AIGC) is gaining great popularity, with many emerging commercial services and applications. These services leverage advanced generative models, such as latent diffusion models and large language models, to generate creative content (e.g., realistic images and fluent sentences) for users. The usage of such generated content needs to be highly regulated, as the service providers need to ensure the users do not violate the usage policies (e.g., abuse for commercialization, generating and distributing unsafe content). A promising solution to achieve this goal is watermarking, which adds unique and imperceptible watermarks on the content for service verification and attribution. Numerous watermarking approaches have been proposed recently. However, in this paper, we show that an adversary can easily break these watermarking mechanisms. Specifically, we consider two possible attacks. (1) Watermark removal: the adversary can easily erase the embedded watermark from the generated content and then use it freely bypassing the regulation of the service provider. (2) Watermark forging: the adversary can create illegal content with forged watermarks from another user, causing the service provider to make wrong attributions. We propose Warfare, a unified methodology to achieve both attacks in a holistic way. The key idea is to leverage a pre-trained diffusion model for content processing and a generative adversarial network for watermark removal or forging. We evaluate Warfare on different datasets and embedding setups. The results prove that it can achieve high success rates while maintaining the quality of the generated content. Compared to existing diffusion model-based attacks, Warfare is 5,050~11,000x faster.

Jianjing FU,Deren CHEN,Dawen XU,Jiafa MAO

DOI: https://doi.org/10.1360/n112018-00196

2019-01-01

Abstract:Malicious tampering of digital image content may lead to serious consequences. As image resolution increases and its circulations on the network grows rapidly, images undergo double compression in the following environment: compression (JPEG/JPEG2000) for first release, decoding, application processing (conventional signal processing/security attacks/malicious content tampering), and compression (JPEG2000/JPEG) for rerelease before detection. Effectively determining whether the image content has been tampered and to locate the tampering position in a double-compression environment is an urgent problem. In this paper, a novel watermark expression method based on rotating vector and its modulation algorithm is proposed. Based on this method, a semi-fragile watermarking scheme is established for the image content authentication. The stability of watermarked data is analyzed theoretically, providing the watermark scheme with a theoretical basis. The authentication schemes with feature extraction and reconstruction, watermark embedding and extraction, and tamper detection and localization are mainly elaborated. The robustness of watermark, its security, and related detection performance are analyzed. Theoretical analysis and experiments show that the scheme features a good watermark transparency, good robustness, and stable distribution for different attacks and can effectively distinguish malicious tampering from content-preserving operators and locate tampering area under double-compression environment. In addition, the proposed scheme can resist watermark attacks, collage attacks, and forge attacks. Compared with related schemes, the proposed scheme has superior comprehensive performance and is suitable for content authentication in double-compression environment, which expands the application scope of watermark-based content authentication.

Kangli Hao,Guorui Feng,Xinpeng Zhang

DOI: https://doi.org/10.23919/jcc.2020.11.012

2020-01-01

China Communications

Abstract:Digital watermark embeds information bits into digital cover such as images and videos to prove the creator’s ownership of his work. In this paper, we propose a robust image watermark algorithm based on a generative adversarial network. This model includes two modules, generator and adversary. Generator is mainly used to generate images embedded with watermark, and decode the image damaged by noise to obtain the watermark. Adversary is used to discriminate whether the image is embedded with watermark and damage the image by noise. Based on the model Hidden（hiding data with deep networks）, we add a high-pass filter in front of the discriminator, making the watermark tend to be embedded in the mid-frequency region of the image. Since the human visual system pays more attention to the central area of the image, we give a higher weight to the image center region, and a lower weight to the edge region when calculating the loss between cover and embedded image. The watermarked image obtained by this scheme has a better visual performance. Experimental results show that the proposed architecture is more robust against noise interference compared with the state-of-art schemes.

Xiaodong Wu,Xiangman Li,Jianbing Ni

2024-08-04

Abstract:Watermarking has become one of promising techniques to not only aid in identifying AI-generated images but also serve as a deterrent against the unethical use of these models. However, the robustness of watermarking techniques has not been extensively studied recently. In this paper, we investigate the robustness of generative watermarking, which is created from the integration of watermarking embedding and text-to-image generation processing in generative models, e.g., latent diffusion models. Specifically, we propose three attacking methods, i.e., discriminator-based attacks, edge prediction-based attacks, and fine-tune-based attacks, under the scenario where the watermark decoder is not accessible. The model is allowed to be fine-tuned to created AI agents with specific generative tasks for personalizing or specializing. We found that generative watermarking methods are robust to direct evasion attacks, like discriminator-based attacks, or manipulation based on the edge information in edge prediction-based attacks but vulnerable to malicious fine-tuning. Experimental results show that our fine-tune-based attacks can decrease the accuracy of the watermark detection to nearly $67.92\%$. In addition, We conduct an ablation study on the length of fine-tuned messages, encoder/decoder's depth and structure to identify key factors that impact the performance of fine-tune-based attacks.

Cryptography and Security

Peifei Zhu,Tsubasa Takahashi,Hirokatsu Kataoka

2024-04-19

Abstract:Diffusion Models (DMs) have shown remarkable capabilities in various image-generation tasks. However, there are growing concerns that DMs could be used to imitate unauthorized creations and thus raise copyright issues. To address this issue, we propose a novel framework that embeds personal watermarks in the generation of adversarial examples. Such examples can force DMs to generate images with visible watermarks and prevent DMs from imitating unauthorized images. We construct a generator based on conditional adversarial networks and design three losses (adversarial loss, GAN loss, and perturbation loss) to generate adversarial examples that have subtle perturbation but can effectively attack DMs to prevent copyright violations. Training a generator for a personal watermark by our method only requires 5-10 samples within 2-3 minutes, and once the generator is trained, it can generate adversarial examples with that watermark significantly fast (0.2s per image). We conduct extensive experiments in various conditional image-generation scenarios. Compared to existing methods that generate images with chaotic textures, our method adds visible watermarks on the generated images, which is a more straightforward way to indicate copyright violations. We also observe that our adversarial examples exhibit good transferability across unknown generative models. Therefore, this work provides a simple yet powerful way to protect copyright from DM-based imitation.

Computer Vision and Pattern Recognition,Artificial Intelligence

Xiang Li,Chan Lu,Danni Cheng,Wei-Hong Li,Mei Cao,Bo Liu,Jiechao Ma,Wei-Shi Zheng

DOI: https://doi.org/10.48550/arXiv.1905.12845

2019-08-19

Abstract:Visible watermark plays an important role in image copyright protection and the robustness of a visible watermark to an attack is shown to be essential. To evaluate and improve the effectiveness of watermark, watermark removal attracts increasing attention and becomes a hot research top. Current methods cast the watermark removal as an image-to-image translation problem where the encode-decode architectures with pixel-wise loss are adopted to transfer the transparent watermarked pixels into unmarked pixels. However, when a number of realistic images are presented, the watermarks are more likely to be unknown and diverse (i.e., the watermarks might be opaque or semi-transparent; the category and pattern of watermarks are unknown). When applying existing methods to the real-world scenarios, they mostly can not satisfactorily reconstruct the hidden information obscured under the complex and various watermarks (i.e., the residual watermark traces remain and the reconstructed images lack reality). To address this difficulty, in this paper, we present a new watermark processing framework using the conditional generative adversarial networks (cGANs) for visible watermark removal in the real-world application. The proposed method enables the watermark removal solution to be more closed to the photo-realistic reconstruction using a patch-based discriminator conditioned on the watermarked images, which is adversarially trained to differentiate the difference between the recovered images and original watermark-free images. Extensive experimental results on a large-scale visible watermark dataset demonstrate the effectiveness of the proposed method and clearly indicate that our proposed approach can produce more photo-realistic and convincing results compared with the state-of-the-art methods.

Computer Vision and Pattern Recognition,Image and Video Processing

Li Zhang,Yong Liu,Xinpeng Zhang,Hanzhou Wu

DOI: https://doi.org/10.1145/3658664.3659634

2024-01-01

Abstract:As generative models find broader applications in Internet of Things (IoT) image processing tasks, safeguarding the copyright of these models assumes increasing significance. Embedding watermarks on the output images generated by such models has been proposed by some researchers as a means of protecting intellectual property. However, prevailing methods for generating model watermarks inadvertently introduce significant high-frequency artifacts in high-frequency regions, compromising the imperceptibility and security of the watermarking system. In pursuit of enhancing the imperceptibility of generative model watermarking, we propose a framework based on discrete wavelet transform. This framework effectively mitigates the high-frequency artifact issue and enhances the frequency-domain concealment of watermarking. Specifically, we introduce an embedded watermarking network, a frequency separation layer, and a watermark extraction network after the output of the target model. We construct a wavelet frequency domain separation layer by wavelet decomposition to decompose the image generated by the embedding network into different frequency components, and embed the watermark into the low-frequency region of the target model output image through joint training and joint loss optimization of the embedding and extraction networks. Extensive experiments conducted on two image processing tasks, i.e., painting transfer and de-raining, demonstrate that our method exhibits no discernible traces of high-frequency artifacts in the frequency domain of the image in both cases, thus boasting superior invisibility. Furthermore, our method demonstrates robustness against pre-processing attacks, such as noise addition, resizing, and image cropping.

Yihan Ma,Zhengyu Zhao,Xinlei He,Zheng Li,Michael Backes,Yang Zhang

DOI: https://doi.org/10.48550/arXiv.2306.07754

2023-06-13

Computer Vision and Pattern Recognition

Abstract:Large text-to-image models have shown remarkable performance in synthesizing high-quality images. In particular, the subject-driven model makes it possible to personalize the image synthesis for a specific subject, e.g., a human face or an artistic style, by fine-tuning the generic text-to-image model with a few images from that subject. Nevertheless, misuse of subject-driven image synthesis may violate the authority of subject owners. For example, malicious users may use subject-driven synthesis to mimic specific artistic styles or to create fake facial images without authorization. To protect subject owners against such misuse, recent attempts have commonly relied on adversarial examples to indiscriminately disrupt subject-driven image synthesis. However, this essentially prevents any benign use of subject-driven synthesis based on protected images. In this paper, we take a different angle and aim at protection without sacrificing the utility of protected images for general synthesis purposes. Specifically, we propose GenWatermark, a novel watermark system based on jointly learning a watermark generator and a detector. In particular, to help the watermark survive the subject-driven synthesis, we incorporate the synthesis process in learning GenWatermark by fine-tuning the detector with synthesized images for a specific subject. This operation is shown to largely improve the watermark detection accuracy and also ensure the uniqueness of the watermark for each individual subject. Extensive experiments validate the effectiveness of GenWatermark, especially in practical scenarios with unknown models and text prompts (74% Acc.), as well as partial data watermarking (80% Acc. for 1/4 watermarking). We also demonstrate the robustness of GenWatermark to two potential countermeasures that substantially degrade the synthesis quality.

Chuan Qin,Shengyan Gao,Xinpeng Zhang,Guorui Feng

DOI: https://doi.org/10.1109/mmul.2022.3213004

IF: 3.4911

2023-01-01

IEEE Multimedia

Abstract:Robust watermarking plays an essential role in copyright protection for digital images. Meanwhile, the studies of robust image watermarking and corresponding attack methods promote and complement each other. Because the traditional attack methods are weak to attack the deep watermarking, in this work, we thus design an effective watermarking attack method based on the conditional generative adversarial nets (CGAN). Also, according to the network structure of CGAN, a targeted and combined loss function is constructed, which can guarantee an acceptable visual quality of attacked image and make the watermark extraction fail simultaneously. Experimental results demonstrate that our method is effective for some state-of-the-art deep robust image watermarking methods with the transferability. In addition, as an attack method, it can be regarded as an evaluation standard to measure the robustness of watermarking.

Tong Qiao,Yuyan Ma,Ning Zheng,Hanzhou Wu,Yanli Chen,Ming Xu,Xiangyang Luo

DOI: https://doi.org/10.1016/j.cose.2023.103102

2023-01-15

Abstract:With the advance of deep learning, it definitely has achieved the unprecedented success in the community of artificial intelligence. However, the issue of the intellectual property (IP) protection towards deep learning model is usually ignored, which largely threats the interests of the model owner. Currently, although a few schemes of model watermarking have been continuously proposed, in order to protect the specific neural network designed for detection or classification task, most of them are hardly directly applicable to generative adversarial networks (GAN). To our knowledge, the GAN model has plays more and more important role in the computer vision, such as image-to-image translation, text-to-image translation, image inpainting and etc., which remarkably improves the capability of image generation. Similarly, the malicious attackers possibly steal a trained GAN model to infringe the IP of the true model owner. To address that challenging issue, it is proposed to establish the framework of model watermarking towards GAN model. In particular, we first establish the trigger set by combining the watermark label with the verification image. Next, the watermarked generator is efficiently trained on the premise of preserving the original model performance. Finally, only relying on the correct watermark label, the synthetic watermark can be successfully triggered by the model owner for IP protection. The extensive experiments have verified the effectiveness and generalization of our designed method, which can easily be applicable to the benchmark GAN models such as WGAN-GP, ProGAN and StyleGAN2. Moreover, our proposed model watermark is robust enough to resist against the mainstream attacks, such as parameter fine-tuning and model pruning.

computer science, information systems

Yuexin Xiang,Tiantian Li,Wei Ren,Tianqing Zhu,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1016/j.jisa.2023.103662

2022-08-04

Abstract:With the increasing attention to deep neural network (DNN) models, attacks are also upcoming for such models. For example, an attacker may carefully construct images in specific ways (also referred to as adversarial examples) aiming to mislead the DNN models to output incorrect classification results. Similarly, many efforts are proposed to detect and mitigate adversarial examples, usually for certain dedicated attacks. In this paper, we propose a novel digital watermark-based method to generate image adversarial examples to fool DNN models. Specifically, partial main features of the watermark image are embedded into the host image almost invisibly, aiming to tamper with and damage the recognition capabilities of the DNN models. We devise an efficient mechanism to select host images and watermark images and utilize the improved discrete wavelet transform (DWT) based Patchwork watermarking algorithm with a set of valid hyperparameters to embed digital watermarks from the watermark image dataset into original images for generating image adversarial examples. The experimental results illustrate that the attack success rate on common DNN models can reach an average of 95.47% on the CIFAR-10 dataset and the highest at 98.71%. Besides, our scheme is able to generate a large number of adversarial examples efficiently, concretely, an average of 1.17 seconds for completing the attacks on each image on the CIFAR-10 dataset. In addition, we design a baseline experiment using the watermark images generated by Gaussian noise as the watermark image dataset that also displays the effectiveness of our scheme. Similarly, we also propose the modified discrete cosine transform (DCT) based Patchwork watermarking algorithm. To ensure repeatability and reproducibility, the source code is available on GitHub.

Computer Vision and Pattern Recognition,Cryptography and Security

Qi Li,Xingyuan Wang,Bin Ma,Xiaoyu Wang,Chunpeng Wang,Suo Gao,Yunqing Shi

DOI: https://doi.org/10.1109/tcsvt.2021.3138795

IF: 5.859

2021-01-01

IEEE Transactions on Circuits and Systems for Video Technology

Abstract:While existing watermarking attack methods can disturb the correct extraction of watermark information, the visual quality of watermarked images will be greatly damaged. Therefore, a concealed attack based on generative adversarial network and perceptual losses for robust watermarking is proposed. First, the watermarked image is utilized as the input of generative networks, and its generating target (i.e. attacked watermarked image) is the original image. Inspired by the U-Net network, the generative networks consist of encoder-decoder architecture with skip connection, which can combine the low-level and high-level information to ensure the imperceptibility of the generated image. Next, to further improve the imperceptibility of the generated image, instead of the loss function based on MSE, a perceptual loss based on feature extraction is introduced. In addition, a discriminative network is also introduced to make the appearance and distribution of generated image similar to those of the original image. The addition of the discriminative network can remove watermark information effectively. Extensive experiments are conducted to verify the feasibility of the proposed concealed attack method. Experimental and analysis results demonstrate that the proposed concealed attack method has better imperceptibility and attack ability in comparison to the existing watermarking attack methods.

engineering, electrical & electronic

Jinwei Wang,Wanyun Huang,Jiawei Zhang,Xiangyang Luo,Bin Ma

DOI: https://doi.org/10.1016/j.jisa.2024.103750

IF: 4.96

2024-03-19

Journal of Information Security and Applications

Abstract:Digital image watermarking used to be an important tool for copyright protection. However, as neural network-based watermark removal methods have been proposed in recent years, the embedded watermark is increasingly easy to be erased, which poses a great threat to copyright protection. To address this issue, we propose an adversarial visible watermark scheme, which combines the visible watermark with the adversarial perturbation. By attacking the watermark removal network, we maximize the resistance of visible watermark against removal while minimizing the visual distortion. To further improve the robustness against various transformations (e.g. cropping, JPEG compression), we employ the region of interest and random pre-processing to embed the adversarial visible watermark. The experimental results show that the proposed scheme can effectively resist the removal of watermarks on different datasets and network structures while having good transferability and robustness, which enables the watermark to continue to be an effective copyright protection method.

computer science, information systems

Jiangtao Huang,Ting Luo,Li Li,Gaobo Yang,Haiyong Xu,Chin-Chen Chang

DOI: https://doi.org/10.1109/tim.2023.3285981

IF: 5.6

2023-06-30

IEEE Transactions on Instrumentation and Measurement

Abstract:In the existing deep learning-based watermarking models, extracted image features for fusing with watermark are not abundant enough and more critically, and essential features are not highlighted to be learned with the purpose of robust watermarking, both of which limit the watermarking performance. To solve those two drawbacks, this article proposes an attention-guided robust image watermarking model based on a generative adversarial network (ARWGAN). To acquire a great deal of representational image features, a feature fusion module (FFM) is devised to learn shallow and deep features effectively for multilayer fusion with watermark, and meanwhile, reuse of those features by the dense connection enhances robustness. To alleviate image distortion caused by embedding watermark, an attention module (AM) is deployed to compute the attention mask by mining the global features of the original image. Specifically, with the guidance of the attention mask, image features representing inconspicuous regions and texture regions are enhanced for embedding the high strength of watermark, and simultaneously, other features are suppressed to improve the watermarking performance. Furthermore, the noise subnetwork is adopted for robustness enhancement by simulating various image attacks in iterative training. The discriminator is used to distinguish the encoded image from the original image for improving watermarking invisibility continuously. Experimental results demonstrate that the ARWGAN is superior to the existing state-of-the-art (SOTA) watermarking models, and ablation experiments prove the effectiveness of the FFM and the AM. The code is available at https://github.com/river-huang/ARWGAN.

engineering, electrical & electronic,instruments & instrumentation

Jianwei Fei,Zhihua Xia,Benedetta Tondi,Mauro Barni

DOI: https://doi.org/10.1109/tifs.2024.3443650

IF: 7.231

2024-09-20

IEEE Transactions on Information Forensics and Security

Abstract:We propose a novel multi-bit box-free watermarking method for the protection of Intellectual Property Rights (IPR) of GANs with improved robustness against white-box model-level attacks like fine-tuning, pruning, quantization, and surrogate model attacks. The watermark is embedded by adding an extra watermarking loss term during GAN training, ensuring that the images generated by the GAN contain an invisible watermark that can be retrieved by a pre-trained watermark decoder. In order to improve the robustness against white-box model-level attacks, we make sure that the model converges to a wide flat minimum of the watermarking loss term, in such a way that any modification of the model parameters does not erase the watermark. To do so, we add random noise vectors to the parameters of the generator and require that the watermarking loss term is as invariant as possible with respect to the presence of noise. This procedure forces the generator to converge to a wide flat minimum of the watermarking loss. The proposed method is architecture- and dataset-agnostic, thus being applicable to many different generation tasks and models, as well as to CNN-based image processing architectures. We present the results of extensive experiments showing that the presence of the watermark has a negligible impact on the quality of the generated images, and proving the superior robustness of the watermark against model modification and surrogate model attacks.

computer science, theory & methods,engineering, electrical & electronic

Xun Xian,Ganghua Wang,Xuan Bi,Jayanth Srinivasa,Ashish Kundu,Mingyi Hong,Jie Ding

2024-01-24

Abstract:Safeguarding intellectual property and preventing potential misuse of AI-generated images are of paramount importance. This paper introduces a robust and agile plug-and-play watermark detection framework, dubbed as RAW. As a departure from traditional encoder-decoder methods, which incorporate fixed binary codes as watermarks within latent representations, our approach introduces learnable watermarks directly into the original image data. Subsequently, we employ a classifier that is jointly trained with the watermark to detect the presence of the watermark. The proposed framework is compatible with various generative architectures and supports on-the-fly watermark injection after training. By incorporating state-of-the-art smoothing techniques, we show that the framework provides provable guarantees regarding the false positive rate for misclassifying a watermarked image, even in the presence of certain adversarial attacks targeting watermark removal. Experiments on a diverse range of images generated by state-of-the-art diffusion models reveal substantial performance enhancements compared to existing approaches. For instance, our method demonstrates a notable increase in AUROC, from 0.48 to 0.82, when compared to state-of-the-art approaches in detecting watermarked images under adversarial attacks, while maintaining image quality, as indicated by closely aligned FID and CLIP scores.

Computer Vision and Pattern Recognition,Cryptography and Security,Machine Learning

Zhengyuan Jiang,Jinghuai Zhang,Neil Zhenqiang Gong

DOI: https://doi.org/10.48550/arXiv.2305.03807

IF: 5.414

2023-05-05

Machine Learning

Abstract:A generative AI model -- such as DALL-E, Stable Diffusion, and ChatGPT -- can generate extremely realistic-looking content, posing growing challenges to the authenticity of information. To address the challenges, watermark has been leveraged to detect AI-generated content. Specifically, a watermark is embedded into an AI-generated content before it is released. A content is detected as AI-generated if a similar watermark can be decoded from it. In this work, we perform a systematic study on the robustness of such watermark-based AI-generated content detection. We focus on AI-generated images. Our work shows that an attacker can post-process an AI-generated watermarked image via adding a small, human-imperceptible perturbation to it, such that the post-processed AI-generated image evades detection while maintaining its visual quality. We demonstrate the effectiveness of our attack both theoretically and empirically. Moreover, to evade detection, our adversarial post-processing method adds much smaller perturbations to the AI-generated images and thus better maintain their visual quality than existing popular image post-processing methods such as JPEG compression, Gaussian blur, and Brightness/Contrast. Our work demonstrates the insufficiency of existing watermark-based detection of AI-generated content, highlighting the urgent needs of new detection methods.

Jia-Yi Zhong,Duo-Wen Pan,Jing-Jie Wang,Xuan-Bo Jia

DOI: https://doi.org/10.1109/access.2023.3337812

IF: 3.9

2023-12-13

IEEE Access

Abstract:Deep learning-based image watermarking algorithms have been widely studied as an important technology for copyright protection. These methods utilize an end-to-end architecture with an encoder, a noise layer and a decoder to make the watermark robust to various distortions. However, recent algorithms present unsatisfactory visual quality and robustness against JPEG compression, which is the most common image processing operation but is non-differential thus cannot be directly included in the noise layer. To address this limitation, this study proposes a novel enhanced attention-based image watermarking algorithm with simulated JPEG compression, which leverages the channel and spatial attention mechanism to facilitate watermark embedding and simulates JPEG compression with a suitably designed function. Precisely, we design a differentiable rounding function based on the Fourier series to replace the quantization process in JPEG compression, which overcomes the non-differentiability of JPEG compression and can be incorporated in the training process. In addition, we propose an enhanced dual attention module in the encoder, which combines channel and spatial attention to improve the performance of our model. The channel attention guides the encoder to fuse the watermark into more important channels and the spatial attention further helps to embed the watermark into regions with more complex textures. The experimental results show that our method generates high quality watermarked images, with PSNR over 50 when no noise is applied. Compared with current methods, our model achieves stronger robustness to JPEG compression, with bit accuracy over 99% under the JPEG compression with quality factor of 50. Besides, the proposed framework also exhibits excellent robustness for a variety of common distortions, including cropout and dropout.

computer science, information systems,telecommunications,engineering, electrical & electronic