Abstract
As a common security tool, visible watermarking has been widely applied to protect copyrights of digital images. However, recent works have shown that visible watermarks can be removed by DNNs without damaging their host images. Such watermark-removal techniques pose a great threat to the ownership of images. Inspired by the vulnerability of DNNs on adversarial perturbations, we propose a novel defence mechanism by adversarial machine learning for good. From the perspective of the adversary, blind watermark-removal networks can be posed as our target models; then we actually optimize an imperceptible adversarial perturbation on the host images to proactively attack against watermark-removal networks, dubbed Watermark Vaccine. Specifically, two types of vaccines are proposed. Disrupting Watermark Vaccine (DWV) induces to ruin the host image along with watermark after passing through watermark-removal networks. In contrast, Inerasable Watermark Vaccine (IWV) works in another fashion of trying to keep the watermark not removed and still noticeable. Extensive experiments demonstrate the effectiveness of our DWV/IWV in preventing watermark removal, especially on various watermark removal networks. The Code is released in https://github.com/thinwayliu/Watermark-Vaccine.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Akhtar, N., Mian, A.: Threat of adversarial attacks on deep learning in computer vision: a survey. IEEE Access 6, 14410–14430 (2018)
Bertalmio, M., Sapiro, G., Caselles, V., Ballester, C.: Image inpainting. In: SIGGRAPH (2000)
Braudaway, G.W.: Protecting publicly-available images with an invisible image watermark. In: ICIP (1997)
Cao, Z., Niu, S., Zhang, J., Wang, X.: Generative adversarial networks model for visible watermark removal. IET Image Process. 13(10), 1783–1789 (2019)
Carlini, N., Wagner, D.: Towards evaluating the robustness of neural networks. In: IEEE Symposium on Security and Privacy (2017)
Chen, P.Y., Zhang, H., Sharma, Y., Yi, J., Hsieh, C.J.: ZOO: zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In: Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security (2017)
Chen, Z., Xie, L., Pang, S., He, Y., Zhang, B.: MagDR: mask-guided detection and reconstruction for defending deepfakes. In: CVPR (2021)
Cheng, D., et al.: Large-scale visible watermark detection and removal with deep convolutional networks. In: Lai, J.-H., et al. (eds.) PRCV 2018. LNCS, vol. 11258, pp. 27–40. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03338-5_3
Cohen, J., Rosenfeld, E., Kolter, Z.: Certified adversarial robustness via randomized smoothing. In: ICML (2019)
Cox, I., Miller, M., Bloom, J., Fridrich, J., Kalker, T.: Digital Watermarking and Steganography. Morgan Kaufmann (2007)
Cun, X., Pun, C.M.: Split then refine: stacked attention-guided ResUNets for blind single image visible watermark removal. In: AAAI (2021)
Dekel, T., Rubinstein, M., Liu, C., Freeman, W.T.: On the effectiveness of visible watermarks. In: CVPR (2017)
Dong, Y., et al.: Boosting adversarial attacks with momentum. In: CVPR (2018)
Dong, Y., Pang, T., Su, H., Zhu, J.: Evading defenses to transferable adversarial examples by translation-invariant attacks. In: CVPR (2019)
Gandelsman, Y., Shocher, A., Irani, M.: “Double-DIP”: unsupervised image decomposition via coupled deep-image-priors. In: CVPR (2019)
Goodfellow, I., et al.: Generative adversarial nets. In: NeurIPS (2014)
Goodfellow, I.J., Shlens, J., Szegedy, C.: Explaining and harnessing adversarial examples. In: ICLR (2015)
He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: CVPR (2016)
Hendrik Metzen, J., Chaithanya Kumar, M., Brox, T., Fischer, V.: Universal adversarial perturbations against semantic image segmentation. In: ICCV (2017)
Hertz, A., Fogel, S., Hanocka, R., Giryes, R., Cohen-Or, D.: Blind visual motif removal from a single image. In: CVPR (2019)
Huang, C.H., Wu, J.L.: Attacking visible watermarking schemes. TMM 6(1), 16–30 (2004)
Jia, X., Wei, X., Cao, X., Han, X.: Adv-watermark: a novel watermark perturbation for adversarial examples. In: ACMMM (2020)
Jia, X., Zhang, Y., Wu, B., Ma, K., Wang, J., Cao, X.: LAS-AT: adversarial training with learnable attack strategy. In: CVPR (2022)
Jia, X., Zhang, Y., Wu, B., Wang, J., Cao, X.: Boosting fast adversarial training with learnable adversarial initialization. TIP 31, 4417–4430 (2022)
Khachaturov, D., Shumailov, I., Zhao, Y., Papernot, N., Anderson, R.: Markpainting: adversarial machine learning meets inpainting. In: ICML (2021)
Kos, J., Fischer, I., Song, D.: Adversarial examples for generative models. In: IEEE Symposium on Security and Privacy Workshops (2018)
Krizhevsky, A., Sutskever, I., Hinton, G.E.: ImageNet classification with deep convolutional neural networks. In: NeurIPS (2012)
Kurakin, A., Goodfellow, I., Bengio, S., et al.: Adversarial examples in the physical world. In: ICLR Workshop (2017)
Li, X., et al.: Towards photo-realistic visible watermark removal with conditional generative adversarial networks. In: Zhao, Y., Barnes, N., Chen, B., Westermann, R., Kong, X., Lin, C. (eds.) ICIG 2019. LNCS, vol. 11901, pp. 345–356. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34120-6_28
Liang, J., Niu, L., Guo, F., Long, T., Zhang, L.: Visible watermark removal via self-calibrated localization and background refinement. In: ACM MM (2021)
Lin, J., Song, C., He, K., Wang, L., Hopcroft, J.E.: Nesterov accelerated gradient and scale invariance for adversarial attacks. In: ICLR (2020)
Liu, Y., Zhu, Z., Bai, X.: WDNet: watermark-decomposition network for visible watermark removal. In: WACV (2021)
Liu, Z., et al.: Feature distillation: DNN-oriented JPEG compression against adversarial examples. In: CVPR (2019)
Madry, A., Makelov, A., Schmidt, L., Tsipras, D., Vladu, A.: Towards deep learning models resistant to adversarial attacks. In: ICLR Poster (2018)
Mintzer, F., Braudaway, G.W., Yeung, M.M.: Effective and ineffective digital watermarks. In: ICIP (1997)
Moosavi-Dezfooli, S.M., Fawzi, A., Fawzi, O., Frossard, P.: Universal adversarial perturbations. In: CVPR (2017)
Mopuri, K.R., Uppala, P.K., Babu, R.V.: Ask, acquire, and attack: data-free UAP generation using class impressions. In: Ferrari, V., Hebert, M., Sminchisescu, C., Weiss, Y. (eds.) ECCV 2018. LNCS, vol. 11213, pp. 20–35. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01240-3_2
Papernot, N., McDaniel, P., Goodfellow, I.: Transferability in machine learning: from phenomena to black-box attacks using adversarial samples. arXiv preprint arXiv:1605.07277 (2016)
Papernot, N., McDaniel, P., Goodfellow, I., Jha, S., Celik, Z.B., Swami, A.: Practical black-box attacks against machine learning. In: AsiaCCS (2017)
Park, J., Tai, Y.W., Kweon, I.S.: Identigram/watermark removal using cross-channel correlation. In: CVPR (2012)
Pei, S.C., Zeng, Y.C.: A novel image recovery algorithm for visible watermarked images. IEEE Trans. Inf. Forensics Secur. 1(4), 543–550 (2006)
Qin, C., He, Z., Yao, H., Cao, F., Gao, L.: Visible watermark removal scheme based on reversible data hiding and image inpainting. Sig. Process. Image Commun. 60, 160–172 (2018)
Ruiz, N., Bargal, S.A., Sclaroff, S.: Disrupting deepfakes: adversarial attacks against conditional image translation networks and facial manipulation systems. In: Bartoli, A., Fusiello, A. (eds.) ECCV 2020. LNCS, vol. 12538, pp. 236–251. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-66823-5_14
Ruiz, N., Bargal, S.A., Sclaroff, S.: Protecting against image translation deepfakes by leaking universal perturbations from black-box neural networks. arXiv preprint arXiv:2006.06493 (2020)
Samuel, S., Penzhorn, W.: Digital watermarking for copyright protection. IEEE Commun. Mag. (2004)
Santoyo-Garcia, H., Fragoso-Navarro, E., Reyes-Reyes, R., Sanchez-Perez, G., Nakano-Miyatake, M., Perez-Meana, H.: An automatic visible watermark detection method using total variation. In: IWBF (2017)
Segalis, E., Galili, E.: OGAN: disrupting deepfakes with an adversarial attack that survives training. arXiv e-prints (2020)
Shafahi, A., Najibi, M., Xu, Z., Dickerson, J., Davis, L.S., Goldstein, T.: Universal adversarial training. In: AAAI (2020)
Szegedy, C., et al.: Intriguing properties of neural networks. In: ICLR (2014)
Tabacof, P., Tavares, J., Valle, E.: Adversarial images for variational autoencoders. arXiv preprint arXiv:1612.00155 (2016)
Uesato, J., O’donoghue, B., Kohli, P., Oord, A.: Adversarial risk and the dangers of evaluating against weak attacks. In: ICML (2018)
Xie, C., et al.: Improving transferability of adversarial examples with input diversity. In: CVPR (2019)
Xu, C., Lu, Y., Zhou, Y.: An automatic visible watermark removal technique using image inpainting algorithms. In: ICSAI (2017)
Yang, C., Ding, L., Chen, Y., Li, H.: Defending against GAN-based deepfake attacks via transformation-aware adversarial faces. In: 2021 International Joint Conference on Neural Networks (IJCNN), pp. 1–8. IEEE (2021)
Yeh, C.Y., Chen, H.W., Tsai, S.L., Wang, S.D.: Disrupting image-translation-based deepfake algorithms with adversarial attacks. In: WACV Workshops (2020)
Yuan, X., He, P., Zhu, Q., Li, X.: Adversarial examples: attacks and defenses for deep learning. IEEE Trans. Neural Netw. Learn. Syst. 30(9), 2805–2824 (2019)
Zhao, H., Shi, J., Qi, X., Wang, X., Jia, J.: Pyramid scene parsing network. In: CVPR (2017)
Acknowledgment
Supported by the National Key R &D Program of China under (Grant 2019YFB 1406500), Sponsored by Ant Group Security and Risk Management Fund.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
1 Electronic supplementary material
Below is the link to the electronic supplementary material.
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Liu, X. et al. (2022). Watermark Vaccine: Adversarial Attacks to Prevent Watermark Removal. In: Avidan, S., Brostow, G., Cissé, M., Farinella, G.M., Hassner, T. (eds) Computer Vision – ECCV 2022. ECCV 2022. Lecture Notes in Computer Science, vol 13674. Springer, Cham. https://doi.org/10.1007/978-3-031-19781-9_1
Download citation
DOI: https://doi.org/10.1007/978-3-031-19781-9_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-19780-2
Online ISBN: 978-3-031-19781-9
eBook Packages: Computer ScienceComputer Science (R0)