Robust Watermarks Leak: Channel-Aware Feature Extraction Enables Adversarial Watermark Manipulation

• URL: http://arxiv.org/abs/2502.06418v1
• Date: Mon, 10 Feb 2025 12:55:08 GMT
• Title: Robust Watermarks Leak: Channel-Aware Feature Extraction Enables Adversarial Watermark Manipulation
• Authors: Zhongjie Ba, Yitao Zhang, Peng Cheng, Bin Gong, Xinyu Zhang, Qinglong Wang, Kui Ren,
• Abstract summary: We propose an attack framework that extracts leakage of watermark patterns using a pre-trained vision model. Unlike prior works requiring massive data or detector access, our method achieves both forgery and detection evasion with a single watermarked image. Our work exposes the robustness-stealthiness paradox: current "robust" watermarks sacrifice security for distortion resistance, providing insights for future watermark design.
• Score: 21.41643665626451
• License:
• Abstract: Watermarking plays a key role in the provenance and detection of AI-generated content. While existing methods prioritize robustness against real-world distortions (e.g., JPEG compression and noise addition), we reveal a fundamental tradeoff: such robust watermarks inherently improve the redundancy of detectable patterns encoded into images, creating exploitable information leakage. To leverage this, we propose an attack framework that extracts leakage of watermark patterns through multi-channel feature learning using a pre-trained vision model. Unlike prior works requiring massive data or detector access, our method achieves both forgery and detection evasion with a single watermarked image. Extensive experiments demonstrate that our method achieves a 60\% success rate gain in detection evasion and 51\% improvement in forgery accuracy compared to state-of-the-art methods while maintaining visual fidelity. Our work exposes the robustness-stealthiness paradox: current "robust" watermarks sacrifice security for distortion resistance, providing insights for future watermark design.

Related papers

• LampMark: Proactive Deepfake Detection via Training-Free Landmark Perceptual Watermarks [7.965986856780787]
  This paper introduces a novel training-free landmark perceptual watermark, LampMark for short. We first analyze the structure-sensitive characteristics of Deepfake manipulations and devise a secure and confidential transformation pipeline. We present an end-to-end watermarking framework that imperceptibly embeds and extracts watermarks concerning the images to be protected.
  arXiv  Detail & Related papers  (2024-11-26T08:24:56Z)
• Trigger-Based Fragile Model Watermarking for Image Transformation Networks [2.38776871944507]
  In fragile watermarking, a sensitive watermark is embedded in an object in a manner such that the watermark breaks upon tampering. We introduce a novel, trigger-based fragile model watermarking system for image transformation/generation networks. Our approach, distinct from robust watermarking, effectively verifies the model's source and integrity across various datasets and attacks.
  arXiv  Detail & Related papers  (2024-09-28T19:34:55Z)
• Certifiably Robust Image Watermark [57.546016845801134]
  Generative AI raises many societal concerns such as boosting disinformation and propaganda campaigns. Watermarking AI-generated content is a key technology to address these concerns. We propose the first image watermarks with certified robustness guarantees against removal and forgery attacks.
  arXiv  Detail & Related papers  (2024-07-04T17:56:04Z)
• Latent Watermark: Inject and Detect Watermarks in Latent Diffusion Space [7.082806239644562]
  Existing methods face the dilemma of image quality and watermark robustness. Watermarks with superior image quality usually have inferior robustness against attacks such as blurring and JPEG compression. We propose Latent Watermark, which injects and detects watermarks in the latent diffusion space.
  arXiv  Detail & Related papers  (2024-03-30T03:19:50Z)
• RAW: A Robust and Agile Plug-and-Play Watermark Framework for AI-Generated Images with Provable Guarantees [33.61946642460661]
  This paper introduces a robust and agile watermark detection framework, dubbed as RAW. We employ a classifier that is jointly trained with the watermark to detect the presence of the watermark. We show that the framework provides provable guarantees regarding the false positive rate for misclassifying a watermarked image.
  arXiv  Detail & Related papers  (2024-01-23T22:00:49Z)
• WAVES: Benchmarking the Robustness of Image Watermarks [67.955140223443]
  WAVES (Watermark Analysis Via Enhanced Stress-testing) is a benchmark for assessing image watermark robustness. We integrate detection and identification tasks and establish a standardized evaluation protocol comprised of a diverse range of stress tests. We envision WAVES as a toolkit for the future development of robust watermarks.
  arXiv  Detail & Related papers  (2024-01-16T18:58:36Z)
• Robustness of AI-Image Detectors: Fundamental Limits and Practical Attacks [47.04650443491879]
  We analyze the robustness of various AI-image detectors including watermarking and deepfake detectors. We show that watermarking methods are vulnerable to spoofing attacks where the attacker aims to have real images identified as watermarked ones.
  arXiv  Detail & Related papers  (2023-09-29T18:30:29Z)
• Safe and Robust Watermark Injection with a Single OoD Image [90.71804273115585]
  Training a high-performance deep neural network requires large amounts of data and computational resources. We propose a safe and robust backdoor-based watermark injection technique. We induce random perturbation of model parameters during watermark injection to defend against common watermark removal attacks.
  arXiv  Detail & Related papers  (2023-09-04T19:58:35Z)
• Watermarking Images in Self-Supervised Latent Spaces [75.99287942537138]
  We revisit watermarking techniques based on pre-trained deep networks, in the light of self-supervised approaches. We present a way to embed both marks and binary messages into their latent spaces, leveraging data augmentation at marking time.
  arXiv  Detail & Related papers  (2021-12-17T15:52:46Z)
• Fine-tuning Is Not Enough: A Simple yet Effective Watermark Removal Attack for DNN Models [72.9364216776529]
  We propose a novel watermark removal attack from a different perspective. We design a simple yet powerful transformation algorithm by combining imperceptible pattern embedding and spatial-level transformations. Our attack can bypass state-of-the-art watermarking solutions with very high success rates.
  arXiv  Detail & Related papers  (2020-09-18T09:14:54Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.