Skip to main content

Watermark Vaccine: Adversarial Attacks to Prevent Watermark Removal

  • Conference paper
  • First Online:
Computer Vision – ECCV 2022 (ECCV 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13674))

Included in the following conference series:

Abstract

As a common security tool, visible watermarking has been widely applied to protect copyrights of digital images. However, recent works have shown that visible watermarks can be removed by DNNs without damaging their host images. Such watermark-removal techniques pose a great threat to the ownership of images. Inspired by the vulnerability of DNNs on adversarial perturbations, we propose a novel defence mechanism by adversarial machine learning for good. From the perspective of the adversary, blind watermark-removal networks can be posed as our target models; then we actually optimize an imperceptible adversarial perturbation on the host images to proactively attack against watermark-removal networks, dubbed Watermark Vaccine. Specifically, two types of vaccines are proposed. Disrupting Watermark Vaccine (DWV) induces to ruin the host image along with watermark after passing through watermark-removal networks. In contrast, Inerasable Watermark Vaccine (IWV) works in another fashion of trying to keep the watermark not removed and still noticeable. Extensive experiments demonstrate the effectiveness of our DWV/IWV in preventing watermark removal, especially on various watermark removal networks. The Code is released in https://github.com/thinwayliu/Watermark-Vaccine.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Akhtar, N., Mian, A.: Threat of adversarial attacks on deep learning in computer vision: a survey. IEEE Access 6, 14410–14430 (2018)

    Article  Google Scholar 

  2. Bertalmio, M., Sapiro, G., Caselles, V., Ballester, C.: Image inpainting. In: SIGGRAPH (2000)

    Google Scholar 

  3. Braudaway, G.W.: Protecting publicly-available images with an invisible image watermark. In: ICIP (1997)

    Google Scholar 

  4. Cao, Z., Niu, S., Zhang, J., Wang, X.: Generative adversarial networks model for visible watermark removal. IET Image Process. 13(10), 1783–1789 (2019)

    Article  Google Scholar 

  5. Carlini, N., Wagner, D.: Towards evaluating the robustness of neural networks. In: IEEE Symposium on Security and Privacy (2017)

    Google Scholar 

  6. Chen, P.Y., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.J.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security (2017)

    Google Scholar 

  7. Chen, Z., Xie, L., Pang, S., He, Y., Zhang, B.: MagDR: mask-guided detection and reconstruction for defending deepfakes. In: CVPR (2021)

    Google Scholar 

  8. Cheng, D., et al.: Large-scale visible watermark detection and removal with deep convolutional networks. In: Lai, J.-H., et al. (eds.) PRCV 2018. LNCS, vol. 11258, pp. 27–40. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03338-5_3

    Chapter  Google Scholar 

  9. Cohen, J., Rosenfeld, E., Kolter, Z.: Certified adversarial robustness via randomized smoothing. In: ICML (2019)

    Google Scholar 

  10. Cox, I., Miller, M., Bloom, J., Fridrich, J., Kalker, T.: Digital Watermarking and Steganography. Morgan Kaufmann (2007)

    Google Scholar 

  11. Cun, X., Pun, C.M.: Split then refine: stacked attention-guided ResUNets for blind single image visible watermark removal. In: AAAI (2021)

    Google Scholar 

  12. Dekel, T., Rubinstein, M., Liu, C., Freeman, W.T.: On the effectiveness of visible watermarks. In: CVPR (2017)

    Google Scholar 

  13. Dong, Y., et al.: Boosting adversarial attacks with momentum. In: CVPR (2018)

    Google Scholar 

  14. Dong, Y., Pang, T., Su, H., Zhu, J.: Evading defenses to transferable adversarial examples by translation-invariant attacks. In: CVPR (2019)

    Google Scholar 

  15. Gandelsman, Y., Shocher, A., Irani, M.: “Double-DIP”: unsupervised image decomposition via coupled deep-image-priors. In: CVPR (2019)

    Google Scholar 

  16. Goodfellow, I., et al.: Generative adversarial nets. In: NeurIPS (2014)

    Google Scholar 

  17. Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. In: ICLR (2015)

    Google Scholar 

  18. He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR (2016)

    Google Scholar 

  19. Hendrik Metzen, J., Chaithanya Kumar, M., Brox, T., Fischer, V.: Universal adversarial perturbations against semantic image segmentation. In: ICCV (2017)

    Google Scholar 

  20. Hertz, A., Fogel, S., Hanocka, R., Giryes, R., Cohen-Or, D.: Blind visual motif removal from a single image. In: CVPR (2019)

    Google Scholar 

  21. Huang, C.H., Wu, J.L.: Attacking visible watermarking schemes. TMM 6(1), 16–30 (2004)

    Google Scholar 

  22. Jia, X., Wei, X., Cao, X., Han, X.: Adv-watermark: a novel watermark perturbation for adversarial examples. In: ACMMM (2020)

    Google Scholar 

  23. Jia, X., Zhang, Y., Wu, B., Ma, K., Wang, J., Cao, X.: LAS-AT: adversarial training with learnable attack strategy. In: CVPR (2022)

    Google Scholar 

  24. Jia, X., Zhang, Y., Wu, B., Wang, J., Cao, X.: Boosting fast adversarial training with learnable adversarial initialization. TIP 31, 4417–4430 (2022)

    Google Scholar 

  25. Khachaturov, D., Shumailov, I., Zhao, Y., Papernot, N., Anderson, R.: Markpainting: adversarial machine learning meets inpainting. In: ICML (2021)

    Google Scholar 

  26. Kos, J., Fischer, I., Song, D.: Adversarial examples for generative models. In: IEEE Symposium on Security and Privacy Workshops (2018)

    Google Scholar 

  27. Krizhevsky, A., Sutskever, I., Hinton, G.E.: ImageNet classification with deep convolutional neural networks. In: NeurIPS (2012)

    Google Scholar 

  28. Kurakin, A., Goodfellow, I., Bengio, S., et al.: Adversarial examples in the physical world. In: ICLR Workshop (2017)

    Google Scholar 

  29. Li, X., et al.: Towards photo-realistic visible watermark removal with conditional generative adversarial networks. In: Zhao, Y., Barnes, N., Chen, B., Westermann, R., Kong, X., Lin, C. (eds.) ICIG 2019. LNCS, vol. 11901, pp. 345–356. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34120-6_28

    Chapter  Google Scholar 

  30. Liang, J., Niu, L., Guo, F., Long, T., Zhang, L.: Visible watermark removal via self-calibrated localization and background refinement. In: ACM MM (2021)

    Google Scholar 

  31. Lin, J., Song, C., He, K., Wang, L., Hopcroft, J.E.: Nesterov accelerated gradient and scale invariance for adversarial attacks. In: ICLR (2020)

    Google Scholar 

  32. Liu, Y., Zhu, Z., Bai, X.: WDNet: watermark-decomposition network for visible watermark removal. In: WACV (2021)

    Google Scholar 

  33. Liu, Z., et al.: Feature distillation: DNN-oriented JPEG compression against adversarial examples. In: CVPR (2019)

    Google Scholar 

  34. Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR Poster (2018)

    Google Scholar 

  35. Mintzer, F., Braudaway, G.W., Yeung, M.M.: Effective and ineffective digital watermarks. In: ICIP (1997)

    Google Scholar 

  36. Moosavi-Dezfooli, S.M., Fawzi, A., Fawzi, O., Frossard, P.: Universal adversarial perturbations. In: CVPR (2017)

    Google Scholar 

  37. Mopuri, K.R., Uppala, P.K., Babu, R.V.: Ask, acquire, and attack: data-free UAP generation using class impressions. In: Ferrari, V., Hebert, M., Sminchisescu, C., Weiss, Y. (eds.) ECCV 2018. LNCS, vol. 11213, pp. 20–35. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01240-3_2

    Chapter  Google Scholar 

  38. Papernot, N., McDaniel, P., Goodfellow, I.: Transferability in machine learning: from phenomena to black-box attacks using adversarial samples. arXiv preprint arXiv:1605.07277 (2016)

  39. Papernot, N., McDaniel, P., Goodfellow, I., Jha, S., Celik, Z.B., Swami, A.: Practical black-box attacks against machine learning. In: AsiaCCS (2017)

    Google Scholar 

  40. Park, J., Tai, Y.W., Kweon, I.S.: Identigram/watermark removal using cross-channel correlation. In: CVPR (2012)

    Google Scholar 

  41. Pei, S.C., Zeng, Y.C.: A novel image recovery algorithm for visible watermarked images. IEEE Trans. Inf. Forensics Secur. 1(4), 543–550 (2006)

    Article  Google Scholar 

  42. Qin, C., He, Z., Yao, H., Cao, F., Gao, L.: Visible watermark removal scheme based on reversible data hiding and image inpainting. Sig. Process. Image Commun. 60, 160–172 (2018)

    Article  Google Scholar 

  43. Ruiz, N., Bargal, S.A., Sclaroff, S.: Disrupting deepfakes: adversarial attacks against conditional image translation networks and facial manipulation systems. In: Bartoli, A., Fusiello, A. (eds.) ECCV 2020. LNCS, vol. 12538, pp. 236–251. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-66823-5_14

    Chapter  Google Scholar 

  44. Ruiz, N., Bargal, S.A., Sclaroff, S.: Protecting against image translation deepfakes by leaking universal perturbations from black-box neural networks. arXiv preprint arXiv:2006.06493 (2020)

  45. Samuel, S., Penzhorn, W.: Digital watermarking for copyright protection. IEEE Commun. Mag. (2004)

    Google Scholar 

  46. Santoyo-Garcia, H., Fragoso-Navarro, E., Reyes-Reyes, R., Sanchez-Perez, G., Nakano-Miyatake, M., Perez-Meana, H.: An automatic visible watermark detection method using total variation. In: IWBF (2017)

    Google Scholar 

  47. Segalis, E., Galili, E.: OGAN: disrupting deepfakes with an adversarial attack that survives training. arXiv e-prints (2020)

    Google Scholar 

  48. Shafahi, A., Najibi, M., Xu, Z., Dickerson, J., Davis, L.S., Goldstein, T.: Universal adversarial training. In: AAAI (2020)

    Google Scholar 

  49. Szegedy, C., et al.: Intriguing properties of neural networks. In: ICLR (2014)

    Google Scholar 

  50. Tabacof, P., Tavares, J., Valle, E.: Adversarial images for variational autoencoders. arXiv preprint arXiv:1612.00155 (2016)

  51. Uesato, J., O’donoghue, B., Kohli, P., Oord, A.: Adversarial risk and the dangers of evaluating against weak attacks. In: ICML (2018)

    Google Scholar 

  52. Xie, C., et al.: Improving transferability of adversarial examples with input diversity. In: CVPR (2019)

    Google Scholar 

  53. Xu, C., Lu, Y., Zhou, Y.: An automatic visible watermark removal technique using image inpainting algorithms. In: ICSAI (2017)

    Google Scholar 

  54. Yang, C., Ding, L., Chen, Y., Li, H.: Defending against GAN-based deepfake attacks via transformation-aware adversarial faces. In: 2021 International Joint Conference on Neural Networks (IJCNN), pp. 1–8. IEEE (2021)

    Google Scholar 

  55. Yeh, C.Y., Chen, H.W., Tsai, S.L., Wang, S.D.: Disrupting image-translation-based deepfake algorithms with adversarial attacks. In: WACV Workshops (2020)

    Google Scholar 

  56. Yuan, X., He, P., Zhu, Q., Li, X.: Adversarial examples: attacks and defenses for deep learning. IEEE Trans. Neural Netw. Learn. Syst. 30(9), 2805–2824 (2019)

    Article  MathSciNet  Google Scholar 

  57. Zhao, H., Shi, J., Qi, X., Wang, X., Jia, J.: Pyramid scene parsing network. In: CVPR (2017)

    Google Scholar 

Download references

Acknowledgment

Supported by the National Key R &D Program of China under (Grant 2019YFB 1406500), Sponsored by Ant Group Security and Risk Management Fund.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Xiaojun Jia .

Editor information

Editors and Affiliations

1 Electronic supplementary material

Below is the link to the electronic supplementary material.

Supplementary material 1 (pdf 12914 KB)

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Liu, X. et al. (2022). Watermark Vaccine: Adversarial Attacks to Prevent Watermark Removal. In: Avidan, S., Brostow, G., Cissé, M., Farinella, G.M., Hassner, T. (eds) Computer Vision – ECCV 2022. ECCV 2022. Lecture Notes in Computer Science, vol 13674. Springer, Cham. https://doi.org/10.1007/978-3-031-19781-9_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-19781-9_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-19780-2

  • Online ISBN: 978-3-031-19781-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics