Improving the security of image manipulation detection through one-and-a-half-class multiple classification

  • Mauro Barni
  • Ehsan NowrooziEmail author
  • Benedetta Tondi


Protecting image manipulation detectors against perfect knowledge attacks requires the adoption of detector architectures which are intrinsically difficult to attack. In this paper, we do so, by exploiting a recently proposed multiple-classifier architecture combining the improved security of 1-Class (1C) classification and the good performance ensured by conventional 2-Class (2C) classification in the absence of attacks. The architecture, also known as 1.5-Class (1.5C) classifier, consists of one 2C classifier and two 1C classifiers run in parallel followed by a final 1C classifier. In our system, the first three classifiers are implemented by means of Support Vector Machines (SVM) fed with SPAM features. The outputs of such classifiers are then processed by a final 1C SVM in charge of making the final decision. Particular care is taken to design a proper strategy to train the SVMs the 1.5C classifier relies on. This is a crucial task, due to the difficulty of training the two 1C classifiers at the front end of the system. We assessed the performance of the proposed solution with regard to three manipulation detection tasks, namely image resizing, median filtering and contrast enhancement. As a result the security improvement allowed by the 1.5C architecture with respect to a conventional 2C solution is confirmed, with a performance loss in the absence of attacks that remains at a negligible level.


Adversarial multimedia forensics Forensics and counter-forensics Manipulation detection Secure classification Security of machine learning classifiers 



This work was supported partially by Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory (AFRL) under the research grant number FA8750-16-2-0173. The United States Government is certified to reproduce and distribute reprints for Governmental objectives notwithstanding any copyright notation thereon. The views and conclusions consist of herein are those of the authors and should not be explained as necessarily representing the official policies or authorization, either expressed or implied, DARPA and AFRL or U.S. Government.


  1. 1.
    Barni M, Chen Z, Tondi B (2016) Adversary-aware, data-driven detection of double jpeg compression: How to make counter-forensics harder. In: 2016 IEEE international workshop on information forensics and security (WIFS), pp 1–6Google Scholar
  2. 2.
    Barni M, Costanzo A, Nowroozi E, Tondi B (2018) Cnn-based detection of generic contrast adjustment with jpeg post-processing. In: 2018 25th IEEE international conference on image processing (ICIP). IEEE, pp 3803–3807Google Scholar
  3. 3.
    Barni M, Nowroozi E, Tondi B (2017) Higher-order, adversary-aware, double jpeg-detection via selected training on attacked samples. In: 2017 25th European signal processing conference (EUSIPCO), pp 281–285Google Scholar
  4. 4.
    Barni M, Stamm MC, Tondi B (2018) Adversarial multimedia forensics: Overview and challenges ahead. In: 2018 26th European signal processing conference (EUSIPCO). IEEE, pp 962–966Google Scholar
  5. 5.
    Bayar B, Stamm MC (2016) A deep learning approach to universal image manipulation detection using a new convolutional layer. In: Proceedings of the 4th ACM workshop on information hiding and multimedia security. ACM, pp 5–10Google Scholar
  6. 6.
    Bayar B, Stamm MC (2018) Towards open set camera model identification using a deep learning framework, pp 2007–2011.
  7. 7.
    Biggio B, Corona I, He ZM, Chan PPK, Giacinto G, Yeung DS, Roli F (2015) One-and-a-half-class multiple classifier systems for secure learning against evasion attacks at test time. In: Schwenker F., Roli F., Kittler J. (eds) Multiple classifier systems. Springer International Publishing, Cham, pp 168–180CrossRefGoogle Scholar
  8. 8.
    Biggio B, Corona I, Maiorca D, Nelson B, Šrndić N, Laskov P, Giacinto G, Roli F Blockeel H, Kersting K, Nijssen S, železný F (eds) (2013) Evasion attacks against machine learning at test time. Springer, BerlinGoogle Scholar
  9. 9.
    Boser BE, Guyon IM, Vapnik VN (1992) A training algorithm for optimal margin classifiers. In: Proceedings of the fifth annual workshop on Computational learning theory. ACM, pp 144–152Google Scholar
  10. 10.
    Chang CC, Lin CJ (2011) Libsvm: A library for support vector machines. ACM Trans Intell Syst Technol 2(3):27:1?27:27CrossRefGoogle Scholar
  11. 11.
    Chen Z, Tondi B, Li X, Ni R, Zhao Y, Barni M (2017) A gradient-based pixel-domain attack against svm detection of global image manipulations. In: 2017 IEEE workshop on information forensics and security (WIFS), pp 1–6Google Scholar
  12. 12.
    Dang-Nguyen DT, Pasquini C, Conotter V, Boato G (2015) Raise: a raw images dataset for digital image forensics. In: Proceedings of the 6th ACM Multimedia Systems Conference, MMSys ’15. ACM, New York, pp 219–224Google Scholar
  13. 13.
    D’Avino D, Cozzolino D, Poggi G, Verdoliva L (2017) Autoencoder with recurrent neural networks for video forgery detection. Electronic Imaging 2017(7):92–99CrossRefGoogle Scholar
  14. 14.
    Gloe T, Kirchner M, Winkler A, Bohme R (2007) Can we trust digital image forensics?. In: ACM Multimedia 2007, Augsburg, Germany, pp 78–86Google Scholar
  15. 15.
    Hasan M, Choi J, Neumann J, Roy-Chowdhury AK, Davis LS (2016) Learning temporal regularity in video sequences. In: Proceedings of the IEEE conference on computer vision and pattern recognition, pp 733–742Google Scholar
  16. 16.
    Hsu CW, Chang CC, Lin CJ, et al. (2003) A practical guide to support vector classificationGoogle Scholar
  17. 17.
    Huang L, Joseph AD, Nelson B, Rubinstein BI, Tygar J (2011) Adversarial machine learning, pp 43–58Google Scholar
  18. 18.
    Khan SS, Madden MG (2010) A survey of recent trends in one class classification. In: Proceedings of the 20th Irish conference on artificial intelligence and cognitive science, AICS’09. Springer, Berlin, pp 188–197CrossRefGoogle Scholar
  19. 19.
    Kodovsky J, Fridrich J, Holub V (2012) Ensemble classifiers for steganalysis of digital media. IEEE Trans Inf Forensics Secur 7(2):432–444CrossRefGoogle Scholar
  20. 20.
    Li H, Luo W, Qiu X, Huang J (2018) Identification of various image operations using residual-based features. IEEE Trans Circuits Syst Video Technol 28 (1):31–45CrossRefGoogle Scholar
  21. 21.
    Marchi E, Vesperini F, Eyben F, Squartini S, Schuller B (2015) A novel approach for automatic acoustic novelty detection using a denoising autoencoder with bidirectional lstm neural networks. In: 2015 IEEE international conference on acoustics, speech and signal processing (ICASSP), pp 1996–2000.
  22. 22.
    Marra F, Poggi G, Roli F, Sansone C, Verdoliva L (2015) Counter-forensics in machine learning based forgery detection. In: Media watermarking, security, and forensics 2015. International Society for Optics and Photonics, vol 9409, p 94090LGoogle Scholar
  23. 23.
    Montgomery DC (2017) Design and analysis of experiments. Wiley, New YorkGoogle Scholar
  24. 24.
    Costa FdO, Eckmann M, Scheirer WJ, Rocha A (2012) Open set source camera attribution. In: 2012 25th SIBGRAPI conference on graphics, patterns and images, pp 71–78.
  25. 25.
    Papernot N, McDaniel P, Jha S, Fredrikson M, Celik ZB, Swami A (2016) The limitations of deep learning in adversarial settings. In: 2016 IEEE European symposium on security and privacy (EuroS&P). IEEE, pp 372–387Google Scholar
  26. 26.
    Perdisci R, Gu G, Lee W (2006) Using an ensemble of one-class svm classifiers to harden payload-based anomaly detection systems. In: Sixth international conference on data mining (ICDM’06), pp 488–498.
  27. 27.
    Pevny T, Bas P, Fridrich J (2010) Steganalysis by subtractive pixel adjacency matrix. IEEE Trans Inf Forensics Secur 5(2):215–224CrossRefGoogle Scholar
  28. 28.
    Rattani A, Scheirer WJ, Ross A (2015) Open set fingerprint spoof detection across novel fabrication materials. IEEE Trans Inf Forensics Secur 10(11):2447–2460. CrossRefGoogle Scholar
  29. 29.
    Ravanbakhsh M, Nabi M, Sangineto E, Marcenaro L, Regazzoni C, Sebe N (2017) Abnormal event detection in videos using generative adversarial nets. In: 2017 IEEE international conference on image processing (ICIP). IEEE, pp 1577–1581Google Scholar
  30. 30.
    Schölkopf B, Platt JC, Shawe-Taylor JC, Smola AJ, Williamson RC (2001) Estimating the support of a high-dimensional distribution. Neural Comput 13 (7):1443–1471CrossRefGoogle Scholar
  31. 31.
    Schölkopf B., Smola AJ, Williamson RC, Bartlett PL (2000) New support vector algorithms. Neural Comput 12(5):1207–1245CrossRefGoogle Scholar
  32. 32.
    Szegedy C, Zaremba W, Sutskever I, Bruna J, Erhan D, Goodfellow I, Fergus R (2013) Intriguing properties of neural networks. arXiv:1312.6199
  33. 33.
    Tax DMJ, Duin RPW (2002) Uniform object generation for optimizing one-class classifiers. J Mach Learn Res 2:155–173zbMATHGoogle Scholar
  34. 34.
    Tondi B (2018) Pixel-domain adversarial examples against cnn-based manipulation detectors. Electron Lett 54(21):1220–1222. CrossRefGoogle Scholar
  35. 35.
    Verdoliva L, Cozzolino D, Poggi G (2014) A feature-based approach for image tampering detection and localization. In: 2014 IEEE international workshop on information forensics and security (WIFS). IEEE, pp 149–154Google Scholar
  36. 36.
    Wang B, Kong X, You X (2009) Source camera identification using support vector machines. In: Peterson G, Shenoi S (eds) Advances in digital forensics V. Springer, Berlin, pp 107–118CrossRefGoogle Scholar
  37. 37.
    Yarlagadda SK, Güera D, Bestagini P, Maggie Zhu F, Tubaro S, Delp EJ (2018) Satellite image forgery detection and localization using gan and one-class classifier. Electronic Imaging 2018(7):1–9CrossRefGoogle Scholar
  38. 38.
    Yuan HD (2011) Blind forensics of median filtering in digital images. IEEE Trans Inf Forensics Secur 6(4):1335–1345CrossRefGoogle Scholar
  39. 39.
    Zheng P, Yuan S, Wu X, Li J, Lu A (2018) One-class adversarial nets for fraud detection. arXiv:1803.01798
  40. 40.
    Zhou C, Paffenroth RC (2017) Anomaly detection with robust deep autoencoders. In: Proceedings of the 23rd ACM SIGKDD international conference on knowledge discovery and data mining. ACM, pp 665–674Google Scholar
  41. 41.
    Zuiderveld K (1994) Graphics gems iv. chap. Contrast limited adaptive histogram equalization. Academic Press Professional, Inc., San Diego, pp 474–485Google Scholar

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2019

Authors and Affiliations

  1. 1.Department of Information Engineering and Mathematical SciencesUniversity of SienaSienaItaly

Personalised recommendations