Invisible Image Watermarks Are Provably Removable Using Generative AI
- URL: http://arxiv.org/abs/2306.01953v2
- Date: Sun, 6 Aug 2023 17:17:04 GMT
- Title: Invisible Image Watermarks Are Provably Removable Using Generative AI
- Authors: Xuandong Zhao, Kexun Zhang, Zihao Su, Saastha Vasan, Ilya Grishchenko,
Christopher Kruegel, Giovanni Vigna, Yu-Xiang Wang, Lei Li
- Abstract summary: Invisible watermarks safeguard images' copyright by embedding hidden messages only detectable by owners.
We propose a family of regeneration attacks to remove these invisible watermarks.
We show that all invisible watermarks are vulnerable to the proposed attack.
- Score: 35.868455860678935
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Invisible watermarks safeguard images' copyright by embedding hidden messages
only detectable by owners. They also prevent people from misusing images,
especially those generated by AI models. We propose a family of regeneration
attacks to remove these invisible watermarks. The proposed attack method first
adds random noise to an image to destroy the watermark and then reconstructs
the image. This approach is flexible and can be instantiated with many existing
image-denoising algorithms and pre-trained generative models such as diffusion
models. Through formal proofs and empirical results, we show that all invisible
watermarks are vulnerable to the proposed attack. For a particularly resilient
watermark, RivaGAN, regeneration attacks remove 93-99% of the invisible
watermarks while the baseline attacks remove no more than 3%. However, if we do
not require the watermarked image to look the same as the original one,
watermarks that keep the image semantically similar can be an alternative
defense against our attack. Our finding underscores the need for a shift in
research/industry emphasis from invisible watermarks to semantically similar
ones. Code is available at https://github.com/XuandongZhao/WatermarkAttacker.
Related papers
- Certifiably Robust Image Watermark [57.546016845801134]
Generative AI raises many societal concerns such as boosting disinformation and propaganda campaigns.
Watermarking AI-generated content is a key technology to address these concerns.
We propose the first image watermarks with certified robustness guarantees against removal and forgery attacks.
arXiv Detail & Related papers (2024-07-04T17:56:04Z) - A Transfer Attack to Image Watermarks [1.656188668325832]
We propose a new transfer evasion attack to image watermark in the no-box setting.
Our major contribution is to show that, both theoretically and empirically, watermark-based AI-generated image detector is not robust to evasion attacks.
arXiv Detail & Related papers (2024-03-22T17:33:11Z) - Robustness of AI-Image Detectors: Fundamental Limits and Practical
Attacks [47.04650443491879]
We analyze the robustness of various AI-image detectors including watermarking and deepfake detectors.
We show that watermarking methods are vulnerable to spoofing attacks where the attacker aims to have real images identified as watermarked ones.
arXiv Detail & Related papers (2023-09-29T18:30:29Z) - Towards Robust Model Watermark via Reducing Parametric Vulnerability [57.66709830576457]
backdoor-based ownership verification becomes popular recently, in which the model owner can watermark the model.
We propose a mini-max formulation to find these watermark-removed models and recover their watermark behavior.
Our method improves the robustness of the model watermarking against parametric changes and numerous watermark-removal attacks.
arXiv Detail & Related papers (2023-09-09T12:46:08Z) - Watermark Vaccine: Adversarial Attacks to Prevent Watermark Removal [69.10633149787252]
We propose a novel defence mechanism by adversarial machine learning for good.
Two types of vaccines are proposed: Disrupting Watermark Vaccine (DWV) induces to ruin the host image along with watermark after passing through watermark-removal networks.
Inerasable Watermark Vaccine (IWV) works in another fashion of trying to keep the watermark not removed and still noticeable.
arXiv Detail & Related papers (2022-07-17T13:50:02Z) - Certified Neural Network Watermarks with Randomized Smoothing [64.86178395240469]
We propose a certifiable watermarking method for deep learning models.
We show that our watermark is guaranteed to be unremovable unless the model parameters are changed by more than a certain l2 threshold.
Our watermark is also empirically more robust compared to previous watermarking methods.
arXiv Detail & Related papers (2022-07-16T16:06:59Z) - Watermark Faker: Towards Forgery of Digital Image Watermarking [10.14145437847397]
We make the first attempt to develop digital image watermark fakers by using generative adversarial learning.
Our experiments show that the proposed watermark faker can effectively crack digital image watermarkers in both spatial and frequency domains.
arXiv Detail & Related papers (2021-03-23T12:28:00Z) - Fine-tuning Is Not Enough: A Simple yet Effective Watermark Removal
Attack for DNN Models [72.9364216776529]
We propose a novel watermark removal attack from a different perspective.
We design a simple yet powerful transformation algorithm by combining imperceptible pattern embedding and spatial-level transformations.
Our attack can bypass state-of-the-art watermarking solutions with very high success rates.
arXiv Detail & Related papers (2020-09-18T09:14:54Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.