A Baseline Method for Removing Invisible Image Watermarks using Deep Image Prior
- URL: http://arxiv.org/abs/2502.13998v1
- Date: Wed, 19 Feb 2025 07:30:19 GMT
- Title: A Baseline Method for Removing Invisible Image Watermarks using Deep Image Prior
- Authors: Hengyue Liang, Taihui Li, Ju Sun,
- Abstract summary: We present a black-box method for removing invisible image watermarks without any dataset of watermarked images or knowledge about the watermark system.
We show that from the intermediate steps of DIP one can reliably find an evasion image that can remove invisible watermarks.
- Score: 2.5096001124754728
- License:
- Abstract: Image watermarks have been considered a promising technique to help detect AI-generated content, which can be used to protect copyright or prevent fake image abuse. In this work, we present a black-box method for removing invisible image watermarks, without the need of any dataset of watermarked images or any knowledge about the watermark system. Our approach is simple to implement: given a single watermarked image, we regress it by deep image prior (DIP). We show that from the intermediate steps of DIP one can reliably find an evasion image that can remove invisible watermarks while preserving high image quality. Due to its unique working mechanism and practical effectiveness, we advocate including DIP as a baseline invasion method for benchmarking the robustness of watermarking systems. Finally, by showing the limited ability of DIP and other existing black-box methods in evading training-based visible watermarks, we discuss the positive implications on the practical use of training-based visible watermarks to prevent misinformation abuse.
Related papers
- Invisible Watermarks: Attacks and Robustness [0.3495246564946556]
We introduce novel improvements to watermarking robustness and minimize degradation on image quality during attack.
We propose a custom watermark remover network which preserves one of the watermarking modalities while completely removing the other during decoding.
Our evaluation suggests that 1) implementing the watermark remover model to preserve one of the watermark modalities when decoding the other modality slightly improves on the baseline performance, and that 2) LBA degrades the image significantly less compared to uniform blurring of the entire image.
arXiv Detail & Related papers (2024-12-17T03:50:13Z) - ESpeW: Robust Copyright Protection for LLM-based EaaS via Embedding-Specific Watermark [50.08021440235581]
Embeds as a Service (Eding) is emerging as a crucial role in AI applications.
Eding is vulnerable to model extraction attacks, highlighting the urgent need for copyright protection.
We propose a novel embedding-specific watermarking (ESpeW) mechanism to offer robust copyright protection for Eding.
arXiv Detail & Related papers (2024-10-23T04:34:49Z) - Social Media Authentication and Combating Deepfakes using Semi-fragile Invisible Image Watermarking [6.246098300155482]
We propose a semi-fragile image watermarking technique that embeds an invisible secret message into real images for media authentication.
Our proposed framework is designed to be fragile to facial manipulations or tampering while being robust to benign image-processing operations and watermark removal attacks.
arXiv Detail & Related papers (2024-10-02T18:05:03Z) - Steganalysis on Digital Watermarking: Is Your Defense Truly Impervious? [21.06493827123594]
steganalysis attacks can extract and remove the watermark with minimal perceptual distortion.
We show how averaging a collection of watermarked images could reveal the underlying watermark pattern.
We propose security guidelines calling for using content-adaptive watermarking strategies and performing security evaluation against steganalysis.
arXiv Detail & Related papers (2024-06-13T12:01:28Z) - Robustness of AI-Image Detectors: Fundamental Limits and Practical
Attacks [47.04650443491879]
We analyze the robustness of various AI-image detectors including watermarking and deepfake detectors.
We show that watermarking methods are vulnerable to spoofing attacks where the attacker aims to have real images identified as watermarked ones.
arXiv Detail & Related papers (2023-09-29T18:30:29Z) - Invisible Image Watermarks Are Provably Removable Using Generative AI [47.25747266531665]
Invisible watermarks safeguard images' copyrights by embedding hidden messages only detectable by owners.
We propose a family of regeneration attacks to remove these invisible watermarks.
The proposed attack method first adds random noise to an image to destroy the watermark and then reconstructs the image.
arXiv Detail & Related papers (2023-06-02T23:29:28Z) - Certified Neural Network Watermarks with Randomized Smoothing [64.86178395240469]
We propose a certifiable watermarking method for deep learning models.
We show that our watermark is guaranteed to be unremovable unless the model parameters are changed by more than a certain l2 threshold.
Our watermark is also empirically more robust compared to previous watermarking methods.
arXiv Detail & Related papers (2022-07-16T16:06:59Z) - Watermark Faker: Towards Forgery of Digital Image Watermarking [10.14145437847397]
We make the first attempt to develop digital image watermark fakers by using generative adversarial learning.
Our experiments show that the proposed watermark faker can effectively crack digital image watermarkers in both spatial and frequency domains.
arXiv Detail & Related papers (2021-03-23T12:28:00Z) - WDNet: Watermark-Decomposition Network for Visible Watermark Removal [61.14614115654322]
The uncertainty of the size, shape, color and transparency of watermarks set a huge barrier for image-to-image translation techniques.
We combine traditional watermarked image decomposition into a two-stage generator, called Watermark-Decomposition Network (WDNet)
The decomposition formulation enables WDNet to separate watermarks from the images rather than simply removing them.
arXiv Detail & Related papers (2020-12-14T15:07:35Z) - Fine-tuning Is Not Enough: A Simple yet Effective Watermark Removal
Attack for DNN Models [72.9364216776529]
We propose a novel watermark removal attack from a different perspective.
We design a simple yet powerful transformation algorithm by combining imperceptible pattern embedding and spatial-level transformations.
Our attack can bypass state-of-the-art watermarking solutions with very high success rates.
arXiv Detail & Related papers (2020-09-18T09:14:54Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.