Generating Image Adversarial Examples by Embedding Digital Watermarks
- URL: http://arxiv.org/abs/2009.05107v2
- Date: Wed, 3 Aug 2022 18:00:06 GMT
- Title: Generating Image Adversarial Examples by Embedding Digital Watermarks
- Authors: Yuexin Xiang, Tiantian Li, Wei Ren, Tianqing Zhu and Kim-Kwang Raymond
Choo
- Abstract summary: We propose a novel digital watermark-based method to generate image adversarial examples to fool deep neural network (DNN) models.
We devise an efficient mechanism to select host images and watermark images and utilize the improved discrete wavelet transform (DWT) based watermarking algorithm.
Our scheme is able to generate a large number of adversarial examples efficiently, concretely, an average of 1.17 seconds for completing the attacks on each image on the CIFAR-10 dataset.
- Score: 38.93689142953098
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: With the increasing attention to deep neural network (DNN) models, attacks
are also upcoming for such models. For example, an attacker may carefully
construct images in specific ways (also referred to as adversarial examples)
aiming to mislead the DNN models to output incorrect classification results.
Similarly, many efforts are proposed to detect and mitigate adversarial
examples, usually for certain dedicated attacks. In this paper, we propose a
novel digital watermark-based method to generate image adversarial examples to
fool DNN models. Specifically, partial main features of the watermark image are
embedded into the host image almost invisibly, aiming to tamper with and damage
the recognition capabilities of the DNN models. We devise an efficient
mechanism to select host images and watermark images and utilize the improved
discrete wavelet transform (DWT) based Patchwork watermarking algorithm with a
set of valid hyperparameters to embed digital watermarks from the watermark
image dataset into original images for generating image adversarial examples.
The experimental results illustrate that the attack success rate on common DNN
models can reach an average of 95.47% on the CIFAR-10 dataset and the highest
at 98.71%. Besides, our scheme is able to generate a large number of
adversarial examples efficiently, concretely, an average of 1.17 seconds for
completing the attacks on each image on the CIFAR-10 dataset. In addition, we
design a baseline experiment using the watermark images generated by Gaussian
noise as the watermark image dataset that also displays the effectiveness of
our scheme. Similarly, we also propose the modified discrete cosine transform
(DCT) based Patchwork watermarking algorithm. To ensure repeatability and
reproducibility, the source code is available on GitHub.
Related papers
- RAW: A Robust and Agile Plug-and-Play Watermark Framework for AI-Generated Images with Provable Guarantees [33.61946642460661]
This paper introduces a robust and agile watermark detection framework, dubbed as RAW.
We employ a classifier that is jointly trained with the watermark to detect the presence of the watermark.
We show that the framework provides provable guarantees regarding the false positive rate for misclassifying a watermarked image.
arXiv Detail & Related papers (2024-01-23T22:00:49Z) - DIAGNOSIS: Detecting Unauthorized Data Usages in Text-to-image Diffusion Models [79.71665540122498]
We propose a method for detecting unauthorized data usage by planting the injected content into the protected dataset.
Specifically, we modify the protected images by adding unique contents on these images using stealthy image warping functions.
By analyzing whether the model has memorized the injected content, we can detect models that had illegally utilized the unauthorized data.
arXiv Detail & Related papers (2023-07-06T16:27:39Z) - DiffWA: Diffusion Models for Watermark Attack [8.102989872457156]
We propose DiffWA, a conditional diffusion model with distance guidance for watermark attack.
The core of our method is training an image-to-image conditional diffusion model on unwatermarked images.
The results show that the model can remove the watermark with good effect and make the bit error rate of watermark extraction higher than 0.4.
arXiv Detail & Related papers (2023-06-22T10:45:49Z) - On Function-Coupled Watermarks for Deep Neural Networks [15.478746926391146]
We propose a novel DNN watermarking solution that can effectively defend against watermark removal attacks.
Our key insight is to enhance the coupling of the watermark and model functionalities.
Results show a 100% watermark authentication success rate under aggressive watermark removal attacks.
arXiv Detail & Related papers (2023-02-08T05:55:16Z) - Exploring Structure Consistency for Deep Model Watermarking [122.38456787761497]
The intellectual property (IP) of Deep neural networks (DNNs) can be easily stolen'' by surrogate model attack.
We propose a new watermarking methodology, namely structure consistency'', based on which a new deep structure-aligned model watermarking algorithm is designed.
arXiv Detail & Related papers (2021-08-05T04:27:15Z) - Reversible Watermarking in Deep Convolutional Neural Networks for
Integrity Authentication [78.165255859254]
We propose a reversible watermarking algorithm for integrity authentication.
The influence of embedding reversible watermarking on the classification performance is less than 0.5%.
At the same time, the integrity of the model can be verified by applying the reversible watermarking.
arXiv Detail & Related papers (2021-04-09T09:32:21Z) - Robust Black-box Watermarking for Deep NeuralNetwork using Inverse
Document Frequency [1.2502377311068757]
We propose a framework for watermarking a Deep Neural Networks (DNNs) model designed for a textual domain.
The proposed embedding procedure takes place in the model's training time, making the watermark verification stage straightforward.
The experimental results show that watermarked models have the same accuracy as the original ones.
arXiv Detail & Related papers (2021-03-09T17:56:04Z) - Fine-tuning Is Not Enough: A Simple yet Effective Watermark Removal
Attack for DNN Models [72.9364216776529]
We propose a novel watermark removal attack from a different perspective.
We design a simple yet powerful transformation algorithm by combining imperceptible pattern embedding and spatial-level transformations.
Our attack can bypass state-of-the-art watermarking solutions with very high success rates.
arXiv Detail & Related papers (2020-09-18T09:14:54Z) - Model Watermarking for Image Processing Networks [120.918532981871]
How to protect the intellectual property of deep models is a very important but seriously under-researched problem.
We propose the first model watermarking framework for protecting image processing models.
arXiv Detail & Related papers (2020-02-25T18:36:18Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.