WAN: Watermarking Attack Network
PPREPARED FOR IEEE TRANSACTIONS ON 1
WAN: Watermarking Attack Network
Seung-Hun Nam ∗ , Wonhyuk Ahn ∗ , In-Jae Yu, Seung-Min Mun, and Heung-Kyu Lee Abstract —Multi-bit watermarking (MW) has been developedto improve robustness against signal processing operations andgeometric distortions. To this end, several benchmark toolsthat simulate possible attacks on images to test robustness areavailable. However, limitations in these general attacks exist sincethey cannot exploit specific characteristics of the targeted MW. Inaddition, these attacks are usually devised without considerationfor visual quality, which rarely occurs in the real world. Toaddress these limitations, we propose a watermarking attacknetwork (WAN), a fully trainable watermarking benchmark tool,that utilises the weak points of the target MW and removesinserted watermark and inserts inverted bit information, therebyconsiderably reducing watermark extractability. To hinder theextraction of hidden information while ensuring high visualquality, we utilise a residual dense blocks-based architecturespecialised in local and global feature learning. A novel water-marking attack loss is introduced to break the MW systems. Weempirically demonstrate that the WAN can successfully fool avariety of MW systems.
Index Terms —Watermarking attack, Multi-bit watermarking,Convolutional neural network (CNN), Watermark bit inversion
I. I
NTRODUCTION D IGITAL watermarking is a technique used to protectcopyright by embedding identification information, re-ferred to as watermark, into the original image [1], [2]. Unlikevisible watermarking, which inserts a watermark perceptibleby the human visual system (HVS), invisible watermarkingis an approach that embeds imperceptible watermarks. Inparticular, multi-bit watermarking (MW), which is a represen-tative example of invisible watermarking, has been activelyresearched so that multi-bit information can be extracted fromthe watermarked image [3], [4]. MW inserts watermarks byconsidering the following fundamental requirements:
Imper-ceptibility , which is the degree of invisibility of a watermark inthe watermarked signal, and
Robustness , which is the ability ofthe watermark to survive against various watermarking attacks[5].Imperceptibility is assessed using image quality assess-ment (IQA) metrics, which evaluate visual quality degrada-tion caused by the embedding of the watermark. To assessrobustness, a benchmark tool composed of various attacks,such as StirMark [6], [7] and CheckMark [8], is applied to awatermarked image. These tools assess the robustness of thewatermarking system by how well the watermark information * Seung-Hun Nam and Wonhyuk Ahn contributed equally to this work.
S.-H. Nam, W. Ahn, I.-J. Yu, and H.-K. Lee are with the School ofComputing, Korea Advanced Institute of Science and Technology (KAIST),Daejeon 34141, South Korea (contact e-mail: [email protected])S.-M. Mun is with the Mobile Business, Samsung Electronics Co. Ltd.,Suwon 443742, South Korea.This work has been submitted to the IEEE for possible publication.Copyright may be transferred without notice, after which this version mayno longer be accessible.
Original image
Multi-bit message
Embedder
Watermarked image Attacked imageAbnormal extraction
Watermark embedding
WANExtractor
Watermarking attackWatermark extraction
Normalextraction
Watermark bit 0Watermark bit 1
Fig. 1. How a watermarking attack network (WAN) works. The red arrowdenotes the case in which a message deformed by WAN is extracted; our workcan hinder the extraction of the watermark while maintaining visual quality. survives after these simulated attacks. However, these toolsattack watermarked images in a general way without consid-ering the context of the watermarking system, so they cannotdig into the specific weak points of the watermarking system.Moreover, these attacks degrade visual quality beyond whatis acceptable for commercial exploitation since they do notconsider the statistical properties of the watermarked signal[9].Instead, malicious users can design effective attacks toremove the watermark by targeting the MW and withoutvisual degradation, which further deepens the gap betweenattacks in the real-world and existing benchmark tools [1],[5], [9]. In this case, the watermarking system designers canassume a worst-case attack, where the watermark embeddingand extraction algorithms are public, to make systems morerobust against adversaries. In this context, designing novelbenchmark tools to create tests that are adequate for individual,specific watermarking systems to induce the false extractionof inserted information while maintaining a high quality levelfor the content is important.Motivated by the need for a useful tool to model andunderstand the watermarking process, we propose a water-marking attack network (WAN) that exploits the weak pointsof individual watermarking systems without compromisingvisual quality. As illustrated in Fig. 1, the proposed WANis devised to hinder the extraction of inserted watermarks byadding interference signals to mislead the watermarking ex-tractor. With proposed loss function, our work can both induceabnormal extraction and generate a reconstructed image with avisual quality similar to the original content. We determine that a r X i v : . [ c s . MM ] A ug REPARED FOR IEEE TRANSACTIONS ON 2
TABLE IC
ATEGORIZATION OF MULTI - BIT WATERMARKING METHODS BASED ON THE WATERMARKING DOMAINS AND EMBEDDING ALGORITHMS
Category AttributeWatermarking domain Discrete cosine transform (DCT), discrete wavelet transform (DWT), nonsubsampled contourlet transform (NSCT)dual-tree complex wavelet transform (DTCWT), singular value decomposition (SVD), QR decomposition (QRD)Embedding algorithm Spread spectrum (SS), improved spread spectrum (ISS), quantization (QT),embedding for causing differences between sub-groups (DIF) the residual dense block-based architectures ability to learnlocal and global features is suitable for analysing each MWmethod composed of various procedures and detailed attributessuch as the watermarking domains and embedding algorithms[10]. The main contributions are listed as follows. • To the best of our knowledge, this is the first paperto successfully introduce a convolutional neural network(CNN)-based deep learning framework for watermarkingattack. • Compared to existing benchmark tools [6], [7], the WANwith the proposed loss terms and network architectureis suitable for learning low-level features and inducesabnormal watermark extraction while maintaining theinherent content of a given image. We experimentallydemonstrate that our proposed WAN can successfullyattack variety of watermarking systems [11]–[16] in termsof the watermarking domains and embedding algorithmswhile conserving image quality. • For specific MW methods, it was confirmed that the WANcan apply subtle modification to induce the watermark bitembedded in the image to be extracted in an inverted state(e.g., → or → ).II. R ELATED W ORKS
We propose a new watermarking attack that targets inter-fering of watermark extraction regardless of MW methods. Inthis section, we review previous works related to our work.
A. Multi-bit Watermarking (MW)
Rather than using zero-bit watermarking to detect the pres-ence or the absence of a watermark, MW can be used in var-ious applications since the n-bit-long message ( m = { , } n )can be inserted in the host image I o to get a watermarked image I w [17]. For watermarking, the transform domain suchas DWT [14], DTCWT [12], DCT [11], [13], [15], NSCT[18], SVD [19], and QRD [16] to be inserted is determined,and then watermark embedding is performed by applying anembedding algorithm such as SS [2], [5], ISS [20], QT [21],[22], and DIF [14], [15] to the selected domain (see Table I). Inconsideration of imperceptibility and robustness, MW methodsselect a watermarking domain and an embedding algorithm,and complex procedures such as perceptual masking [2] andtemplate insertion [13] are added.The block-based approach [11]–[16], which inserts a wa-termark bit (0 or 1) in each subblock, is mainly used formulti-bit information insertion rather than the keypoint-basedapproach [4] due to the benefits that can be achieved byutilising the entire domain. In the extraction phase, message ˆm can be extracted from I w in a blind fashion where theoriginal image or any side information is not required [17]. Theperformance of MW is evaluated in terms of imperceptibilityand robustness. Specifically, the visual differences between I o and I w are determined using the IQA metrics, such as peaksignal-to-noise ratio (PSNR) and structural similarity (SSIM)[23], and robustness is evaluated by calculating bit error rate(BER) between m and ˆm . B. Watermarking Attack and Motivation
Watermarking attacks are employed to evaluate the ro-bustness of MW methods; let A w be the attacked imageof I w . By comparing the messages extracted from I w and A w , a MW designer can evaluate the robustness of theMW by determining whether the hidden information survived[9]. Currently, StirMark [6], [7] and CheckMark [8] are therepresentative benchmark tools that provide various types ofcommon attacks such as signal processing operations andgeometric distortions. As can be seen in Fig. 2, common Noiseaddition GaussianfilteringMedianfiltering JPEG compression Cropping andupscaling Downscaling and upscaling
Rotation and downscalingWatermarked ( Kim et al. [9] ) Sharpening WAN
Fig. 2. Examples of the results of conducting watermarking attacks using StirMark and the proposed WAN. The first row shows the visual quality of theattacked images, and the second row shows the residual images between the watermarked and attacked images.
REPARED FOR IEEE TRANSACTIONS ON 3
The architecture of WAN and concept of loss function
Content Loss
Watermarking Attack Loss
Residual dense block (RDB)
Dilated Conv-based residual dense block (DRDB) : Function for generation of residual images
CNN components P re v DRD B N e x t DRD B P re v RD B N e x t RD B Convolutional layer
Dilated convolutional layer
Convolutional layer
ReLUConcatenation
Element-wise addition ...
WAN
Fig. 3. Schematic illustration of the network architecture of our WAN framework. watermarking attacks mounted in StirMark are accompaniedby visual degradation and have a limitation of not being ableto model the vulnerabilities of each MW method. That is, themore that a watermarking attack utilises the characteristics ofthe targeted watermarking system, the more effective the attackis possible without image quality degradations.With the development of neural networks, CNN-based MWmethods [24], [25] have been newly proposed, and they canbe neutralised with adversarial attacks [26] attempting tofool watermarking systems through malicious inputs; theseare referred to as adversarial examples. However, numerousnon-learning-based approaches proposed before deep learningevolved cannot be attacked by an adversarial attack and requirea new type of watermarking attack approach. To addressthese issues, a watermarking attack that exploits the weakpoints of individual watermarking systems of non-learning-based approaches are proposed only when tripled images, I o ,watermarked images with bit 0 I w , and watermarked imageswith bit 1 I w , are given.III. W ATERMARKING A TTACK N ETWORK (WAN)Our proposed WAN is summarised in Fig. 3. Our systemtargets block-based MW and needs one triple set of sub-block image patches, of I o , I w , and I w . WAN takes I w and I w as inputs and reconstructs each of them into attackedimages A w and A w , respectively. Our goal is to reconstructimages that mislead the watermarking extractor to decideon the wrong bit. In other words, when A w and A w areconsidered to have been inserted 1 bit and 0 bit, we judgethe attack to be successfully done. On the other hand, theattacked image should be similar to the original to minimise visual degradation. We start with in-depth descriptions of lossfunctions consisting of watermarking attack loss and contentloss and provide detailed descriptions of the architecture ofthe network and the mini-batch configuration. A. Loss Function
Our goal is to hinder the watermark extraction for the targetMW system. Watermarked images are reconstructed to bereverse bit inserted with following original content to minimisevisual quality degradation. To achieve both, we propose acustomised loss as an objective function to train the WANas follows: L = λ wa L wa + λ c L c , (1)where L wa and L c represent watermarking attack loss, whichis devised to change an inserted bit and content loss tominimise visual degradation, respectively. λ wa and λ c indicatepredefined weight terms for each loss. In the following, wedescribe each of the proposed losses in detail.
1) Watermarking Attack Loss:
Existing watermarkingmethods vary in terms of the watermarking domains andembedding algorithms, so it is difficult to theoretically modelMW in a single system. Moreover, conventional MW methodsincorporate non-differentiable operations, so it is difficult forthe neural network to learn directly from these methods eventhough step-by-step instructions are publicly available. Wesimplify this problem as the watermarking signal is added tothe original image in the pixel domain, and focus on the noisepatterns that are decided by bit information. In other words, theresidual signal arose by bit 0 insertion R o,w = | I o − I w | andthe residual signal arisen by bit 1 insertion R o,w = | I o − I w | ,which can be identified by neural networks. We hypothesise REPARED FOR IEEE TRANSACTIONS ON 4 that the neural network can remove watermarking signals inimages and insert opposite noise patterns, which causes wrongbit extraction at the watermarking extractor. In this case, theattacked image A w on I w would have similar noise pattern ˜ R o,w = | I o − A w | to R o,w , for which the one with bit 0makes. The noise pattern ˜ R o,w of the attacked image A w on I w would be similar to R o,w , in the same way.To capture the above observation, watermarking attack lossfor the image of size W × H , L wa is defined as follows L wa = 1 N N (cid:88) i =1 | R io,w − ˜ R io,w | + 1 N N (cid:88) i =1 | R io,w − ˜ R io,w | , (2)where superscript i refers to pixel location and N = W × H .The first term of Equation 2 is for deriving the watermark bit1 inserted in I w into 0, and the second term is for derivingbit 0 inserted in I w into bit 1. As depicted in Fig. 3, a lossis designed by pairing the residual images before and aftergoing through the WAN according to the inserted bit andreducing the difference between the paired images. Throughthe L wa , it is possible to add a fine noise-like attack thatinverts the actually inserted bit during the process of passingthe watermarked images over the WAN.
2) Content Loss:
In our work, it is important to proceedwith the attack while maintaining the visual quality of thegiven content. To this end, content loss is adopted to reducethe visual differences between the original content I o and itscorresponding reconstructed images, including A w and A w attacked by the WAN (see Fig. 3). Inspired by the papers [27],[28] demonstrating that (cid:96) loss can bring better visual qualitythan (cid:96) loss for general restoration tasks, the content loss of L c is defined as follows L c = 1 N N (cid:88) i =1 1 (cid:88) j =0 | I io − A iw j | . (3)From L c , it is possible to conduct a watermarking attack whileminimising visual quality degradations in the original content.Through the final objective function of L combined with L c and L wa , the proposed WAN can reconstruct images in a waythat adversely affects the extraction of the inserted bit whilemaintaining the inherent properties of the original content. B. Model Architecture
Fig. 3 illustrates the neural network architecture for ourmodel. We follow the network design from the residual densenetwork (RDN) [10] that is used for the learning of thelocal and global features and the ability of image restoration.The residual dense block (RDB) constituting the RDN iscomposed of densely connected convolutional (Conv) layersand is specialised in extracting abundant local features. Inour work, a dilated Conv-based dense block (DRDB) witha dilated Conv layer applied to the RDB is utilised, and theDRDB is placed in the deeper layer to increase the receptivefield. In the proposed WAN, the pooling layer and up-samplingare excluded, so the input and output sizes are the same ( { I w , I w , A w , A w } ∈ Z × W × H ) . The first and secondConv layers are placed to extract shallow features and conduct global residual learning. Next, by placing RDBs in a shallowlayer and subsequent DRDBs in a deeper layer, the localfeatures is learned, and the receptive field increased as thelayer deepened. We expect sub-components for local residuallearning and local feature fusion commonly used in RDB andDRDB to help our model learn low-level features caused bywatermark embedding. After that, by the concatenation layerfollowed by × and × Conv layers, dense local featuresextracted from the set of RDBs and DRDBs are fused in aglobal way. The deep part of the proposed WAN is composedfor global residual learning based on shallow feature maps.
C. Mini-batch Configuration
Since invisible MW is the approach of inserting a watermarkso that it is unnoticeable by HVS, mini-batch configurationsuitable for fine signal learning is required instead of thestandard mini-batch used in high-level computer vision. Theauthors in [29] presented paired mini-batch training, whichis efficient for learning low-level features such as multimediaforensics [30], [31] and steganalysis. To aid in learning thediscriminative features between watermarked results moreeffectively, paired mini-batch training is utilised in our task.That is, I w and I w generated for the same original image I o are allocated in a single batch, which allows the proposedWAN to learn fine signals due to the differences in the finesignals caused by the watermark bit. In detail, when the batchsize is b s , b s I w images are selected first, and then b s I w images corresponding to I w are assigned to be in the samebatch. The entire dataset is shuffled every epoch.IV. E XPERIMENTS
We use IQA metrics, PSNR (dB) and SSIM to determineimperceptibility and BER to evaluate attacks to get quantitativeresults. Next, to show the superiority of our work comparedto StirMark [6], [7], we perform qualitative evaluations.
A. Experimental Setup1) Datasets:
BOSSbase [32] and BOWS [33] datasets areused to generate 20,000 original grey-scale images with a sizeof × . We resize them to × (i.e., W = H = 64 )using the default settings in MATLAB R2018a, the resizedimages are divided into three sets for training, validation,and testing (with a
14 : 1 : 5 ratio). The block-based MWmethods [11]–[16] are used to generate watermarked images,and the images are generated by embedding watermark bits(0 or 1) into the original images given for each method listedin Table II. These methods perform watermark bit extractionin blind fashion, and NSCT-QT indicates that the QT-basedembedding algorithm in [22] is applied to the NSCT domain[18]. The detailed parameters for the watermark embeddingand extraction of each MW method will be provided onlinelater. For further quantitative and qualitative evaluation, weadditionally generate test images sized × for the testingset. Watermarked images with resolutions of × havea watermark capacity of 4 bits. In the experiment, the WAN-based attacks and watermark bit extraction proceeds for each × patch. REPARED FOR IEEE TRANSACTIONS ON 5
TABLE IIQ
UALITATIVE EVALUATION RESULTS ON TESTING SET WITH BIT OF WATERMARK CAPACITY
Multi-bit watermarking system Non-attack WANMethod WD EA Capacity Size of subdivision PSNR SSIM BER PSNR SSIM BERKim et al. [13] DCT SS 1 bit × et al. [11] DCT ISS 1 bit × et al. [11] DCT ISS 1 bit × et al. [15] DCT DIF 1 bit × et al. [16] QR DIF 1 bit × et al. [14] DWT, SVD DIF 1 bit × et al. [14] DWT, SVD DIF 1 bit × et al. [12] DTCWT QT 1 bit - 36.61 0.972 0.021 35.52 0.972 0.622NSCT-QT [18], [22] NSCT QT 1 bit - 39.21 0.987 0.013 36.54 0.980 0.946Average - 38.02 0.972 0.007 36.08 0.973 0.920 ∗ Notes: WD and EA represent abbreviation of the watermarking domain and the embedding algorithm, respectively.
TABLE IIIQ
UALITATIVE EVALUATION RESULTS ON TESTING SET WITH BITS OF WATERMARK CAPACITY
Multi-bit watermarking system Non-attack WANMethod WD EA Capacity Size of subdivision PSNR SSIM BER PSNR SSIM BERKim et al. [13] DCT SS 4 bit × et al. [11] DCT ISS 4 bit × et al. [11] DCT ISS 4 bit × et al. [15] DCT DIF 4 bit × et al. [16] QR DIF 4 bit × et al. [14] DWT, SVD DIF 4 bit × et al. [14] DWT, SVD DIF 4 bit × et al. [12] DTCWT QT 4 bit - 37.52 0.973 0.044 35.85 0.975 0.681NSCT-QT [18], [22] NSCT QT 4 bit - 40.64 0.987 0.041 37.22 0.982 0.885Average - 38.69 0.970 0.015 36.57 0.976 0.910
2) Implementation Details:
We construct our model basedon the CNN components shown in Fig. 3. In detail, the numberof RDB, DRDB, Conv layer per RDB and DRDB, feature-maps, and the growth rate are set to 6, 6, 6, 32, and 16,respectively. For the × dilated Conv layer, we use dilationset to 1 and set the padding and stride to 2.
3) Training Settings:
We build our network using PyTorchand run the experiments on NVIDIA GeForce GTX 1080Ti. In the experiments, we use the Adam optimizer with alearning rate of − and momentum coefficients β = 0 . , β = 0 . . The size of mini-batch b s is set to 32, andeach mini-batch is configured for paired mini-batch training[29]. The proposed WAN is trained with the hyperparameters λ c = 0 . and λ wa = 0 . during 30 epochs, and the best modelis selected as the one that maximises BER on the validationset for each MW method. B. Quantitative Evaluation
In this subsection, quantitative evaluation of the WAN isconducted in terms of bit extraction interference and visualquality of reconstructed attacked images. Table II shows theperformance results of our work on testing set with 1 bitcapacity, which is generated through each MW method, whichare composed of various attributes. In non-attack situations,each method has a low BER value of 0.026 or less, while theaverage BER value increases dramatically to 0.920 after WANis applied. In particular, for MW methods in [11], [14], [16], the BER value of methods rise to 0.985 or more, which meansthat the WAN has learned a fine signal generated during thewatermark embedding and successfully performs bit inversion.In case of [15] and [12], they have lower BER values of0.848 and 0.622, respectively, and we expect this to be anissue because these methods are composed of operations thatare hard to model and attack through the WAN. In general,making the extraction performance at a random guessing levelis considered a very fatal attack [17], and it is validated thatthe proposed L wa successfully leads to abnormal extractionof watermark bits.In addition, minimizing the visual damage caused by water-marking attacks is an important issue in our work. To do this,we introduce L c , and the gain of visual quality obtained fromthe loss can be analyzed through PSNR and SSIM values with I o in Table II. The average PSNR and SSIM values in non-attack situation are 38.02 dB and 0.972, respectively. Afterthe WAN is applied, average PSNR decreases by 1.94 dB,and SSIM remained similar to that before the attack. Theexisting attacks [6]–[8] are not designed considering the visualproperty of content, so it is accompanied by visual degradationduring the attack process. Meanwhile, our model based on L c is capable of inducing the drastic reversal of the watermarkbit with acceptable small loss of image quality.We further conduct the experiments by applying the trainedWAN model with stride to a testing set with 4 bits ofwatermark capacity. As shown in Table III, the average PSNR, REPARED FOR IEEE TRANSACTIONS ON 6
Kim et al. [11] W a t e r m a r k e d W AN Parah et al. [21] Su et al. [27] Kim et al. [9] NSCT-QT [6,30] Makbol et al. [14](SD: )
16 × 16
Makbol et al. [14](SD: )
Lin et al. [14](SD: )
16 × 16
Lin et al. [14](SD: )
Fig. 4. Examples of attacked images generated from the WAN applied to MW methods.
Original image (128 × 128)
Watermarked [9] (PSNR: 39.62 dB)
WAN (PSNR: 38.05 dB) Noise addition (PSNR: 20.72 dB)
Gaussian filtering (PSNR: 17.64 dB)
JPEG compression(PSNR: 27.26 dB) Downscaling and upscaling(PSNR: 25.08 dB)Median filtering(PSNR: 22.23 dB)
Sharpening(PSNR: 15.13 dB)
Crop and upscaling(PSNR: 14.28 dB) Rotation and downscaling (PSNR: 14.04 dB)
WAN (PSNR: 37.89 dB)
Gaussian filtering (PSNR: 25.15 dB)Watermarked [13]-SD: (16 × 16) (PSNR: 38.12 dB) Noise addition(PSNR: 20.66 dB)
Median filtering(PSNR: 23.43 dB)
Sharpening(PSNR: 16.15 dB)
JPEG compression (PSNR: 28.58 dB)Crop and upscaling (PSNR: 16.52 dB)
Downscaling and upscaling(PSNR: 24.50 dB)Rotation and downscaling(PSNR: 18.57 dB)
Original image (128 × 128)
Fig. 5. Comparison of visual quality of the WAN and numerous attacks in StirMark.
SSIM and BER values for attacked images over the WAN are36.57 dB, 0.976, and 0.910, respectively. Compared with theresults in Table II, we confirm that the overall performanceof the WAN is maintained even when the watermark capacityis increased. For some MW methods [12], [15], [18], thereis an improvement and degradation in performance, whichis presumed to be caused by the dependence of each MWon the inherent texture and content characteristics of givenimages. Overall, the results of quantitative evaluation showthat the proposed WAN is suitable for testing MW methodsas a benchmark tool in terms of interference of watermarkextraction, maintenance of visual quality, and scalability ac-cording to watermark capacity.
C. Qualitative Evaluation
Fig. 4 shows the examples of the watermarked image with4 bit of capacity and the attacked image of the proposedWAN. As shown in the top row of Fig. 4, the types of low-level distortion caused by watermark embedding vary by MWmethod while having similar high-level features (i.e., inherentcontent of I o ). The proposed WAN with L wa and L c can hinder watermark extraction by learning these fine feature andinduces the attacked image to visually follow the originalcontent. Our work can produce natural attacked results thatvery similar to images in non-attack situations (see bottomrow of Fig. 4).Fig. 5 compares results of the our model and StirMark[6], [7], representative benchmark tool, consisting signal pro-cessing operations and geometric distortions. For fairness incomparison, attacked images generated through attack param-eters of StirMark that cause random guessing of bit extraction(e.g., BER = 0.5) are compared. As mentioned above, theStirMark is not an approach of attacking by modeling thevulnerability of the MW method or considering inherentcontent, so it is accompanied by unwanted visual degradationin the attack process (see magnified sub-figures in Fig. 5). Incontrast, our WAN can adversely affect the extraction of theinserted bit while maintaining the inherent properties of theoriginal content. From the results of qualitative evaluation, itis confirmed that the CNN architecture specialized for imagerestoration and the proposed loss function are effective ingenerating natural attacked images. REPARED FOR IEEE TRANSACTIONS ON 7
V. C
ONCLUSION
In this paper, we propose a novel CNN-based benchmarktool for block-based MW methods that learns the weak pointsof the targeted watermarking approach and attacks water-marked images to mislead the watermarking extractor withminimal visual degradation. To achieve this goal, we designcustomized losses of a watermarking attack loss for abnormalbit extraction and a content loss to maintain visual quality. Anetwork architecture utilising RDB and DRDB is adopted as abaseline that specialises in learning local and global features.Through quantitative and qualitative experiments with a vari-ety of MW methods, we demonstrate that the proposed WANperforms more effective attacks than existing benchmark toolsin terms of maintaining visual quality and interfering withwatermark extraction. We expect that the proposed WAN willbe helpful for watermarking designers to test the robustness oftheir MW methods. In future works, we will use the proposedWAN to attack a wider range of watermarking systems interms of watermarking domains and embedding algorithms. Inaddition, approaches to various attack scenarios not coveredin this paper will be studied.R
EFERENCES[1] I. Cox, M. Miller, J. Bloom, J. Fridrich, and T. Kalker,
Digital water-marking and steganography . Morgan kaufmann, 2007.[2] M. Barni, F. Bartolini, V. Cappellini, and A. Piva, “A dct-domain systemfor robust image watermarking,”
Signal processing , vol. 66, no. 3, pp.357–372, 1998.[3] L. P´erez-Freire and F. P´erez-Gonz´alez, “Spread-spectrum watermarkingsecurity,”
IEEE Transactions on Information Forensics and Security ,vol. 4, no. 1, pp. 2–24, 2009.[4] S.-H. Nam, W.-H. Kim, S.-M. Mun, J.-U. Hou, S. Choi, and H.-K.Lee, “A sift features based blind watermarking for dibr 3d images,”
Multimedia Tools and Applications , pp. 1–40, 2017.[5] I. J. Cox, J. Kilian, F. T. Leighton, and T. Shamoon, “Secure spreadspectrum watermarking for multimedia,”
IEEE transactions on imageprocessing , vol. 6, no. 12, pp. 1673–1687, 1997.[6] F. A. Petitcolas, R. J. Anderson, and M. G. Kuhn, “Attacks on copyrightmarking systems,” in
International workshop on information hiding .Springer, 1998, pp. 218–238.[7] F. A. Petitcolas, “Watermarking schemes evaluation,”
IEEE signal pro-cessing magazine , vol. 17, no. 5, pp. 58–64, 2000.[8] S. Pereira, S. Voloshynovskiy, M. Madueno, S. Marchand-Maillet, andT. Pun, “Second generation benchmarking and application orientedevaluation,” in
International workshop on information hiding . Springer,2001, pp. 340–353.[9] S. Voloshynovskiy, S. Pereira, V. Iquise, and T. Pun, “Attack modelling:towards a second generation watermarking benchmark,”
Signal process-ing , vol. 81, no. 6, pp. 1177–1214, 2001.[10] Y. Zhang, Y. Tian, Y. Kong, B. Zhong, and Y. Fu, “Residual dense net-work for image super-resolution,” in
Proceedings of the IEEE conferenceon computer vision and pattern recognition , 2018, pp. 2472–2481.[11] Y.-H. Lin and J.-L. Wu, “A digital blind watermarking for depth-image-based rendering 3d images,”
Broadcasting, IEEE Transactionson , vol. 57, no. 2, pp. 602–611, June 2011.[12] H.-D. Kim, J.-W. Lee, T.-W. Oh, and H.-K. Lee, “Robust dt-cwtwatermarking for dibr 3d images,”
Broadcasting, IEEE Transactions on ,vol. 58, no. 4, pp. 533–543, Dec 2012.[13] W.-H. Kim, J.-U. Hou, H.-U. Jang, and H.-K. Lee, “Robust template-based watermarking for dibr 3d images,”
Applied Sciences , vol. 8, no. 6,2018.[14] N. M. Makbol, B. E. Khoo, and T. H. Rassem, “Block-based discretewavelet transform-singular value decomposition image watermarkingscheme using human visual system characteristics,”
IET Image Process-ing , vol. 10, no. 1, pp. 34–52, 2016.[15] S. A. Parah, J. A. Sheikh, N. A. Loan, and G. M. Bhat, “Robust andblind watermarking technique in dct domain using inter-block coefficientdifferencing,”
Digital Signal Processing , vol. 53, pp. 11–24, 2016. [16] Q. Su, G. Wang, X. Zhang, G. Lv, and B. Chen, “An improved colorimage watermarking algorithm based on qr decomposition,”
MultimediaTools and Applications , vol. 76, no. 1, pp. 707–729, 2017.[17] A. Tefas, N. Nikolaidis, and I. Pitas, “Watermarking techniques forimage authentication and copyright protection,” in
Handbook of Imageand Video Processing . Elsevier, 2005, pp. 1083–1109.[18] A. L. Da Cunha, J. Zhou, and M. N. Do, “The nonsubsampled contourlettransform: theory, design, and applications,”
IEEE transactions on imageprocessing , vol. 15, no. 10, pp. 3089–3101, 2006.[19] G. H. Golub and C. Reinsch, “Singular value decomposition and leastsquares solutions,” in
Linear Algebra . Springer, 1971, pp. 134–151.[20] H. S. Malvar and D. A. Florˆencio, “Improved spread spectrum: A newmodulation technique for robust watermarking,”
IEEE transactions onsignal processing , vol. 51, no. 4, pp. 898–905, 2003.[21] D. Kundur and D. Hatzinakos, “Digital watermarking using multires-olution wavelet decomposition,” in
Acoustics, Speech and Signal Pro-cessing, 1998. Proceedings of the 1998 IEEE International Conferenceon , vol. 5. IEEE, 1998, pp. 2969–2972.[22] S.-H. Wang and Y.-P. Lin, “Wavelet tree quantization for copyrightprotection watermarking,”
IEEE Transactions on Image Processing ,vol. 13, no. 2, pp. 154–165, 2004.[23] Z. Wang, A. C. Bovik, H. R. Sheikh, and E. P. Simoncelli, “Imagequality assessment: from error visibility to structural similarity,”
IEEEtransactions on image processing , vol. 13, no. 4, pp. 600–612, 2004.[24] S.-M. Mun, S.-H. Nam, H.-U. Jang, D. Kim, and H.-K. Lee, “A robustblind watermarking using convolutional neural network,” arXiv preprintarXiv:1704.03248 , 2017.[25] S.-M. Mun, S.-H. Nam, H. Jang, D. Kim, and H.-K. Lee, “Finding robustdomain from attacks: A learning framework for blind watermarking,”
Neurocomputing , vol. 337, pp. 191–202, 2019.[26] B. Wen and S. Aydore, “Romark: A robust watermarking system usingadversarial training,” arXiv preprint arXiv:1910.01221 , 2019.[27] D. Kim, H.-U. Jang, S.-M. Mun, S. Choi, and H.-K. Lee, “Medianfiltered image restoration and anti-forensics using adversarial networks,”
IEEE Signal Processing Letters , vol. 25, no. 2, pp. 278–282, 2017.[28] H. Zhao, O. Gallo, I. Frosio, and J. Kautz, “Loss functions for imagerestoration with neural networks,”
IEEE Transactions on computationalimaging , vol. 3, no. 1, pp. 47–57, 2016.[29] J.-S. Park, H.-G. Kim, D.-G. Kim, I.-J. Yu, and H.-K. Lee, “Pairedmini-batch training: A new deep network training for image forensicsand steganalysis,”
Signal Processing: Image Communication , vol. 67,pp. 132–139, 2018.[30] S.-H. Nam, W. Ahn, S.-M. Mun, J. Park, D. Kim, I.-J. Yu, and H.-K. Lee,“Content-aware image resizing detection using deep neural network,”in .IEEE, 2019, pp. 106–110.[31] S.-H. Nam, J. Park, D. Kim, I.-J. Yu, T.-Y. Kim, and H.-K. Lee, “Two-stream network for detecting double compression of h. 264 videos,”in .IEEE, 2019, pp. 111–115.[32] P. Bas, T. Filler, and T. Pevn`y, “Break our steganographic system: the insand outs of organizing boss,” in