Content uploaded by Suo Gao
Author content
All content in this area was uploaded by Suo Gao on Mar 21, 2022
Content may be subject to copyright.
1051-8215 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCSVT.2021.3138795, IEEE
Transactions on Circuits and Systems for Video Technology
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
Copyright © 20xx IEEE. Personal use of this material is permitted. However, permission to use this material for any other purposes must be obtained from the
IEEE by sending an email to pubs-permissions@ieee.org.
1
Abstract—While existing watermarking attack methods can
disturb the correct extraction of watermark information, the
visual quality of watermarked images will be greatly damaged.
Therefore, a concealed attack based on generative adversarial
network and perceptual losses for robust watermarking is
proposed. First, the watermarked image is utilized as the input of
generative networks, and its generating target (i.e. attacked
watermarked image) is the original image. Inspired by the U-Net
network, the generative networks consist of encoder-decoder
architecture with skip connection, which can combine the low-
level and high-level information to ensure the imperceptibility of
the generated image. Next, to further improve the imperceptibility
of the generated image, instead of the loss function based on MSE,
a perceptual loss based on feature extraction is introduced. In
addition, a discriminative network is also introduced to make the
appearance and distribution of generated image similar to those of
the original image. The addition of the discriminative network can
remove watermark information effectively. Extensive experiments
are conducted to verify the feasibility of the proposed concealed
attack method. Experimental and analysis results demonstrate
that the proposed concealed attack method has better
imperceptibility and attack ability in comparison to the existing
watermarking attack methods.
Index Terms—concealed attack; generative adversarial
network; perceptual losses; imperceptibility
I. INTRODUCTION
he research on digital image watermarking technology
mainly focuses on two aspects: watermarking methods[1-4]
and watermarking attack methods [5, 6]. The watermarking
method [7], which plays the role of “defender”, enhances the
robustness of the embedding algorithm to resist various attack
methods; and watermarking attack method, as the “attacker”,
tries to make watermarking method unable to extract the
embedding watermarking information correctly through
various attack methods on digital image watermarking system.
In recent years, many mature robust watermarking
algorithms have been proposed to resist various attacks, such as
This research is supported by the National Natural Science Foundation of
China (No: 61672124, 61802212, 61872203), the Password Theory Project of
the 13th Five-Year Plan National Cryptography Development Fund (No:
MMJJ20170203), Liaoning Province Science and Technology Innovation
Leading Talents Program Project (No: XLYC1802013), Key R&D Projects of
Liaoning Province (No: 2019020105-JH2/103), Jinan City ‘20 universities’
Funding Projects Introducing Innovation Team Program (No: 2019GXRC031),
Research Fund of Guangxi Key Lab of Multi-source Information Mining &
Security (No: MIMS20-M-02). (Corresponding authors: Xingyuan Wang, Bin
Ma, Xiaoyu Wang.)
additive noise, image filtering, lossy compression, and
geometric attacks, etc. To resist conventional signal processing
attacks, watermarking methods based on image spatial domain
[8, 9], transform domain [10, 11], and feature space are
designed. For the sake of resisting geometric attack,
watermarking methods based on geometric invariants,
synchronous correction, and local feature region method are
designed. In addition, a variety of watermarking methods have
been proposed to resist gradient reduction attacks, sensitivity
attacks and scrambling attacks [12, 13]. With the development
of deep learning, researchers extend deep neural networks to the
field of image watermarking. Haribabu et al. [14] proposed an
image watermarking algorithm based on Auto-encoder
architecture in 2015. In 2018, a hidden architecture called
“HiDDeN” for image watermarking is proposed [15], which
utilizes neural networks to complete the task of watermark
information embedding. In the same year, Ahmadi et al. [16]
proposed a deep end-to-end differential watermarking
framework, which can learn new watermarking algorithms in
transform domain. Hao et al. proposed an image watermarking
algorithm based on generative adversarial nets in 2020 [17]. In
the same year, a blind image watermarking algorithm [18]
based on neural networks was proposed.
At present, the research on robust watermarking technology
is developing rapidly at home and abroad, but there are few
research teams on watermarking attacks. When the vast
majority of research works are concentrated in the field of
robust watermarking technology, start from the opposite
direction of robust watermarking technology (i.e. watermarking
attack), analyzing the vulnerability of present robust
watermarking schemes for developing new watermarking
attack method, it can not only provide a new research field but
also can better promote the development of robust
watermarking. As far as we know, in 2005, Licks and Jordan
from the University of New Mexico published on IEEE
Multimedia the research on geometric attack method of image
watermarking system [19], which led to the development and
progress of the image watermarking attack method. However,
Qi Li, Xingyuan Wang, Xiaoyu Wang and Suo Gao are with the School of
Information Science & Technology, Dalian Maritime University, Dalian,
116026 China. (email: qluliqi@163.com; wangxy@dlut.edu.cn;
qluwxy@163.com and 1418159118@qq.com).
Bin Ma, Chunpeng Wang are with the School of Cyber Security, Qilu
University of Technology, Jinan, 250353 China (email: sddxmb@126.com;
mpeng1122@163.com).
Yunqing Shi is now with Department of Electrical and Computer
Engineering, New Jersey Institute of Technology, Newark, NJ07102, USA.
(email: shi@njit.edu).
Concealed Attack for Robust Watermarking Based on
Generative Model and Perceptual Loss
Qi Li, Xingyuan Wang, Member, IEEE, Bin Ma, Member, IEEE, Xiaoyu Wang, Chunpeng Wang,
Suo Gao and Yunqing Shi, Fellow, IEEE
T
Authorized licensed use limited to: Harbin Institute of Technology. Downloaded on March 21,2022 at 00:38:33 UTC from IEEE Xplore. Restrictions apply.
1051-8215 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCSVT.2021.3138795, IEEE
Transactions on Circuits and Systems for Video Technology
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
2
there are still few research teams that carry on image
watermarking attacks and make in-depth research. So how to
further improve the robustness of image watermarking
technology? From our point of view, sharper spear can fortify
shield, it is undoubtedly correct to enhance the robustness of
image watermarking technology from the perspective of
improving the ability of watermarking attack. At present, there
are many types of watermarking attack methods, such as
additive noise, image filtering, lossy compression, and
geometric attack, etc. [20-22]. These traditional attack methods
can verify the robustness of watermarking schemes to a large
extent. However, for many practical application scenarios,
many images that need to be protected cannot be utilized to
verify the robustness of watermarking schemes at the cost of
visual quality loss. In the military, medical, remote sensing, and
other sensitive fields, due to the importance of original
information, the robustness of watermarking methods cannot be
violently verified using traditional attack methods, otherwise, it
will lose the most basic significance of the original carrier.
Therefore, it is urgent to research out an attack scheme, which
can not only guarantee the visual quality of the watermarked
images but also can effectively destroy the embedded
watermarking information.
To this end, deep learning is introduced to the field of
watermarking attacks and a novel imperceptible concealed
attack for robust watermarking based on generative adversarial
network and perceptual losses is proposed. And the key
contributions are listed as follows:
1. As far as we know, this is the first time that such a
watermarking attack method based on generative adversarial
networks and perceptual losses is reported.
2. The attacked watermarked image over the proposed
method is highly imperceptible. The optimization goal of the
attack model is the original image, that is, the watermark
information can be removed without destroying the
perceptibility of the watermarked image.
3. The proposed concealed attack method is superior to most
existing attack methods (consisting of signal processing and
geometric distortion, etc.) in terms of attack capability.
4. A novel watermarking attack model is proposed, the
purpose of which is to promote the “defender” (watermarking
method) with the “attacker” (watermarking attack method)
from the perspective of reverse thinking, which will inevitably
promote the sound development of both “defender and
attacker” in the field of digital watermarking technology.
The remainder of this paper is organized as follows: Part II
gives an introduction to related work on watermarking attacks,
robust watermarking methods and generative adversarial
networks, etc. It is proposed in Part III to introduce robust color
watermarking algorithms based on quaternion exponent
moments. Part IV introduces the proposed method. Part V gives
the selection results of the optimal parameters and gives the
final experimental results. Part VI summarizes the whole paper
and discusses the research significance of this paper and the
future research direction.
II. RELATED WORK
A. Watermarking Attack
Watermarking attack is to examine the robustness of the
digital watermarking system by various attacks. The
significance of its existence is to improve the digital
watermarking system by analyzing the weakness of
watermarking methods and the reasons for its vulnerability to
attack. The purpose of the watermarking attack is to make the
watermarking receiver unable to detect the existence of
watermarking information or unable to recover watermarking
information correctly.
Since the watermarking attack method was first proposed,
many researchers have studied and classified the watermarking
attack methods: ① Robust attack, expressive attack,
explanatory attack, and legal attack [23]; ② simple attack,
synchronous attack, obfuscate attack, and erase attack [24]; ③
Cryptographic attack, geometric attack, protocol attack and
wipe attack [25]; ④ Unintentional attacks and intentional
attacks [26]; ⑤ Unauthorized embedding, unauthorized
detection, and unauthorized deletion [27]. Cao et al. [28]
proposed a perfect watermarking attack classification method
based on the above attack classification. They classify non-
technical attack and technical attack and then divide all the
above attack methods into these two aspects, in which Robust
attack draws much attention in the field of watermarking
methods. We proposed a novel imperceptible watermarking
attack based on generative adversarial networks and perceptual
losses, which is reduced to the category of erasing attack, as
shown in Fig. 1. (the attack proposed in this paper is marked in
green)
Fig. 1. Classification of watermarking attack methods
With the rapid development of computer hardware and
network bandwidth, the deep learning technology has attracted
the widespread attention from researchers. In the era of deep
learning, convolutional neural network (CNN) provides an
opportunity to change the traditional watermarking attack.
Geng et al [29] proposed a CNN-based real-time attack scheme
for robust watermarking algorithms. They pointed out the
existing attack methods are not able to balance the image
quality and the destructive ability of watermark image. The
proposed attack scheme can pre-process the watermarked
image without any prior knowledge, thereby successfully
hindering the extraction of watermark image. Nam et al [30]
designed a watermarking attack network (WAN). A network
architecture based on residual dense blocks is utilized to learn
local and global features of watermark image, which makes
Image Watermarking Attack
Non-technical Attack Technical Attack
Law Attack System Attack Unintentional Attack Intentional Attack
Active Attack Passive Attack
Robust Attack Explanatory Attack Cryptographic Attack Hidden Attack
Removed
Attack Present Attack
Signal
Attack Sensitivity
Attack Geometric
Attack Disturbing
Attack
Descent
Attack
Concealed
Attack
Authorized licensed use limited to: Harbin Institute of Technology. Downloaded on March 21,2022 at 00:38:33 UTC from IEEE Xplore. Restrictions apply.
1051-8215 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCSVT.2021.3138795, IEEE
Transactions on Circuits and Systems for Video Technology
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
3
various robust watermarking algorithms invalid without
disturbing the quality of the watermarked images. Hatoum et al
[31] regarded full convolutional neural network as a denoising
attack to enhance the quality of the watermarked images, which
draws the idea of convolutional neural networks in super-
resolution and attacks the watermarked images obtained from
by the two watermarking methods of spread transform dither
modulation and spread spectrum. The above research results
indicate that it is completely feasible to construct a new
watermarking attack paradigm based on deep learning.
B. Robust Watermarking Technology
Robust watermarking technology focuses on improving the
anti-attack ability of watermarked images, that is, it can still
extract complete watermark information from the watermarked
image after being attacked by malicious intent. For the
traditional robust watermarking technology, it can be divided
into transform domain robust watermark and feature space
robust watermark. Wang et al [32] introduced a robust
watermarking algorithm based on polar complex exponential
transform (PCET) and logical mapping, which utilizes the
geometric invariance of PCET to improve the robustness of the
algorithm against geometric attacks. first used ZMs in image
watermarking algorithms. Xia et al [33] proposed a
geometrically invariant color medical image empty
watermarking algorithm based on quaternion polar harmonic
Fourier moments (QPHFM), which can realize copyright
protection without changing the original medical image.
However, the traditional robust watermarking technology
cannot better explore the inherent characteristics of watermark
images. In view of the shortcomings of the current traditional
robust image watermarking technology, researchers have begun
to extend convolutional neural networks to the field of robust
watermarking technology. Zhu et al [34] proposed the HiDDeN
(Hiding data with deep networks) architecture for image
steganography and watermarking embedding, which uses
neural networks to learn the characteristics of using subtle
perturbations to encode a large amount of useful information
for the task of data hiding, and extends the model to the field of
image watermarking technology. Ahmadi [35] and others
proposed a deep end-to-end differential watermarking
framework (ReDMark), which can learn new watermarking
algorithms in any transform space. It can be seen that the
research and development of robust watermarking technology
are quite rapid.
C. Generative Adversarial Network and Perceptual Losses
1) Generative Adversarial Network
Generative adversarial networks (GAN) were proposed by
Ian Goodfellow [38] in 2014, which was inspired by the idea of
a minimax two-player game. The fundamental GAN consists of
two parts: a generator G and a discriminator D. Random noise
z is used as the input of generator G to generate images, and the
discriminator D is utilized to distinguish the real images from
generated images. Generator G and discriminator D are trained
at the same time and continue to play a minimax game for
reaching the Nash equilibrium. The final goal of the generator
is to make the discriminator D unable to distinguish the real
images and generated images. In other words, the discriminator
D cannot distinguish the sample distributions between the
generated images and real images. The optimization function
corresponding to the fundamental GAN model is as follows:
~P [( ( ( )] [ ( ( )))]dz
x z~ P
GD
minmax E log D x +E log 1 - D G(z
(1)
The generator G and discriminator D are trained alternately
to achieve the optimization of Eq (1). In each mini-batch
iterative process of stochastic gradient optimization, the
discriminator D is firstly updated by ascending its gradient, and
then the generator G is updated by descending its gradient. The
optimization process is as follows:
Fix generator G, and update the parameters of discriminator
D using
D D DV
where
~P [ ( , )] [ (1 ( ( , ), ))]
dz
D x D z ~ P G D
D
V E logD x E log D G z
(2)
Then fix generator D, and update the parameters of generator
G using
G G GV
where
[ (1 ( ( , ), ))]
z
G z~ P G D
G
V E log D G z
(3)
2) Perceptual Losses
At present, most optimization schemes of convolutional
neural networks for images are based on pixel-level. Although
the loss function based on mean squared error (MSE) can make
generated or reconstructed image have a higher signal-to-noise
ratio (PSNR), due to the lack of high-frequency information,
the texture of image is excessively smooth. Johnson [37] et al
proposed a perceptual loss function for training neural networks,
which was used widely in the field of super-resolution and
image transformation, etc. In their scheme, the high-level
features extracted from a pre-trained deep network are utilized
to generate a high-quality image instead of using low-level
features based on MSE. The features extracted from
convolutional neural networks (CNN) can be regarded as a part
of loss function. By reducing differences of the features
extracted from the different layers of CNN between generated
image and target image, the generated images and the target
images can be more semantically similar. The perceptual loss
function is defined as follows:
( ) ( ) ( )
2
,2
1
,
j j j
j j j
x x x x
C H W
(4)
where
()
jx
represents the feature map extracted from the j-th
layer of the neural network
for an image x. And
j j j
C H W
represents the shape of the feature map.
III. THE ATTACKED WATERMARKING ALGORITHM
A. Definition of Quaternion Exponent Moments
The exponent moments are extended to the level of
quaternions, and the quaternion exponent moments of the color
image are further defined. Assuming
( , )fr
is a color image in
the polar coordinate system, according to the general definition
Authorized licensed use limited to: Harbin Institute of Technology. Downloaded on March 21,2022 at 00:38:33 UTC from IEEE Xplore. Restrictions apply.
1051-8215 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCSVT.2021.3138795, IEEE
Transactions on Circuits and Systems for Video Technology
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
4
of exponent moments and quaternions theory. The quaternion
exponent moments of a color image can be defined as:
21 *
00
1( , ) ( )exp( ) ,
4
R
nm n
E f r A r m rdrd
(5)
where
R
nm
E
is the quaternion exponent moment with the order
of n and the repetition of m,
represents a pure quaternion unit,
in this paper,
( )/ 3i j k
.
*()
n
Ar
represents the conjugate
of the radial basis function
()
n
Ar
,
( ) 2/ exp( 2 )
n
A r r j n r
,
, ,0, ,+ .n
After obtaining the quaternion exponent
moments
R
nm
E
, we can use a finite number of quaternion
exponent moments to reconstruct the color image function
( , )fr
, where the highest order is
max
n
. Then the functional
expression of using a finite number of quaternion exponent
moments to reconstruct a color image in a polar coordinate
system can be approximated as follows:
'( , ) ( )exp( ) ( )exp( ).
max max
max max
nn
RR
nm n nm n
n m n n m n
f r E A r m E A r m
(6)
B. Embedding Process of Watermark image
The specific embedding process for watermarking image is shown in Algorithm 1.
Algorithm 1: Embedding algorithm for watermarking image
Input: a cover image Ic of shape C×H×W, a watermarking image Iw of shape M×N
1. Binary watermarking image Iw is scrambled using Arnold transform, and then converted to a one-
dimensional sequence S = {s(k), 1≤k≤M×N}.
2. Calculate the quaternion exponent moment E1 of Ic according to Equation 4.
3. Set key K1 and use it to randomly select M×N quaternion exponent moments ER from E1, i.e. ER
=(
1 1 2 2
, ,..., M N M N
R R R
n m n m n m
E E E
). The corresponding quaternion exponent moment amplitudes are
A=(
1 1 2 2
, ,..., M N M N
n m n m n m
A A A
).
4. Use the following quantization rule to embed S into A:
( 1 2) , mod( ( ),2) 1
ˆ( 1 2) , mod( ( ),2) 0
kk
kk
nm kk
sk
Ask
,
where
round( )
kk
k n m
A
,
round()
is the rounding function,
denotes the quantization step,
mod ,xy
represents the remainder of
x
divided by
y
.
1 1 2 2
()
ˆ ˆ ˆ ˆ
, ,..., M N M N
n m n m n m
A A AA
is the
quaternion exponent moment amplitudes after embedding the secret sequence, and
1 1 2 2
()
ˆ ˆ ˆ ˆ
, ,..., M N M N
R R R
n m n m
Rnm
EEE E
is the corresponding quaternion exponent moments.
5. Compute the reconstructed image
*( , )f h w
using unmodified quaternion exponent moments:
*( , ) ( , ) ( , )
os
f h w f h w f h w
,
where
( , )
o
f h w
represents the original cover image,
( , )
s
f h w
represents the reconstructed image
using ER.
6. The watermarked image embedded with a one-dimensional sequence, denoted as
'( , )f h w
is obtained
as follows:
' * '
( , ) ( , ) ( , )
s
f h w f h w f h w
,
where
'( , )
s
f h w
represents the reconstructed image using
ˆR
E
.
IV. PROPOSED CONCEALED ATTACK METHOD
To accomplish the task of ensuring high imperceptibility of
attacked watermarked image and successfully destroying the
watermark information simultaneously, a novel imperceptible
concealed attack for robust watermarking based on generative
adversarial network and perceptual losses is proposed. Firstly,
the watermarked image is utilized as the input of generative
networks, and its generating target (i.e. attacked watermarked
image) is the original image. Inspired by U-Net network, the
generative networks consist of encoder-decoder architecture
with skip connection [39, 40], which can combine the low-level
and high-level information to ensure the imperceptibility of the
generated image. Then, to further improve the imperceptibility
of the generated image, a perceptual loss based on feature
extraction is introduced. In addition, a discriminative network
is introduced to make the appearance and distribution of
generated image similar to those of the original image. The
addition of discriminative network can remove watermark
information effectively. To obtain the attacked watermarked
images with higher peak signal-to-noise ratios (PSNR), the
MSE loss is added to the loss function for optimizing the model.
The overall architecture of watermarking attack model is shown
in Fig. 2.
Authorized licensed use limited to: Harbin Institute of Technology. Downloaded on March 21,2022 at 00:38:33 UTC from IEEE Xplore. Restrictions apply.
1051-8215 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCSVT.2021.3138795, IEEE
Transactions on Circuits and Systems for Video Technology
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
5
A. Generative Networks
Inspired by the U-Net network and deep steganography, the
generative networks are composed of an encoder-decoder
architecture with skip connection, which can directly merge the
encoding low-level information into the decoding high-level
feature maps to assist the generative networks to generate
images of high visual quality. In addition, to guarantee the
robustness of watermarking algorithms, most of the watermark
information is embedded into the low frequency domain of the
original image. Therefore, in the concatenate stage, the first
several features (contain a large number of low-frequency
information) are discarded for achieving the interference effect
on watermark information.
Fig. 2. Overview diagram of watermarking attack model. Optimization goal of the watermarking attack model: To ensure the high imperceptibility of the
attacked watermarked image, the optimized goal for the watermarking attack model is original image. Loss function: In addition to the most common pixel-based
MSE loss, perceptual loss and discriminative loss are introduced to optimize the watermarking attack model. The combined losses can not only ensure that the
attacked watermarked images have advantage in numerical quantification, but also guarantee the high imperceptibility of attacked watermarked images.
The architecture of generative networks draws heavily from
U-Net networks, which are mainly divided into two parts:
compression and expansion. In the processing of compression,
there are 8 convolutional neural layers with a convolution
kernel size of 3×3 and a stride size of 2. Each convolutional
neural layer is followed by a Batch Normalization module and
a ReLU layer. In the processing of expansion, the up-sampling
operation is adopted to transfer the obtained feature maps into
a three-channel color image with the size of 256×256. The
architecture of generative networks is shown in Table Ⅰ.
In order to ensure the high imperceptibility of generated
image, the perceptual loss function is defined to optimize
generative networks. The pre-trained VGG16 is adopted to
extract feature maps of the original image
o
I
and corresponding
generated image
a
I
(i.e. attacked watermarked image), where
()
aw
I G I
and
w
I
donates the watermarked image. The
perceptual loss function is defined as follows:
( ) ( ) 2
2
1
per k a k o
VGG I VGG I
N
(7)
where
()
k
VGG
represents the features extracted from the layer
k in VGG16. N represents the total feature neuron numbers.
TABLE I
THE ARCHITECTURE PARAMETERS OF GENERATIVE NETWORKS
Layer
Process
Kernels
Output size
Input
/
/
3×(256×256)
Layer 1
Convolution + BN + ReLU
16×(3×3)
16×(128×128)
Layer 2
Convolution + BN + ReLU
32×(3×3)
32×(64×64)
Layer 3
Convolution + BN + ReLU
64×(3×3)
64×(32×32)
Layer 4
Convolution + BN + ReLU
128×(3×3)
128×(16×16)
Layer 5
Convolution + BN + ReLU
256×(3×3)
256×(8×8)
Layer 6
Convolution + BN + ReLU
256×(3×3)
256×(4×4)
Layer 7
Convolution + BN + ReLU
512×(3×3)
512×(2×2)
Layer 8
Convolution + BN + ReLU
512×(3×3)
512×(1×1)
Layer 9
Deconvolution + BN + ReLU
512×(5×5)
512×(2×2)
Concate1
Concate the feature map from Layer7 and Layer9
/
1024×(2×2)
Layer 10
Deconvolution + BN + ReLU
256×(5×5)
256×(4×4)
Original Image Watermark Image
Watermarking
Algorithm
Watermarked Image Watermarking Attack
Model Attacked
Watermarked Image
Pre-trained VGG16 Pre-trained VGG16
Perceptual Loss
MSE Loss
True
False
Discriminative Loss
Discriminative network
Authorized licensed use limited to: Harbin Institute of Technology. Downloaded on March 21,2022 at 00:38:33 UTC from IEEE Xplore. Restrictions apply.
1051-8215 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCSVT.2021.3138795, IEEE
Transactions on Circuits and Systems for Video Technology
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
6
Concate2
Concate the feature map from Layer6 and Layer10
/
512×(4×4)
Layer 11
Deconvolution + BN + ReLU
256×(5×5)
256×(8×8)
Concate3
Concate the feature map from Layer5 and Layer11
/
512×(8×8)
Layer 12
Deconvolution + BN + ReLU
128×(5×5)
256×(16×16)
Concate4
Concate the feature map from Layer4 and Layer12
/
256×(16×16)
Layer 13
Deconvolution + BN + ReLU
64×(5×5)
64×(32×32)
Concate5
Concate the feature map from Layer4 and Layer13
/
128×(32×32)
Layer 14
Deconvolution + BN + ReLU
32×(5×5)
32×(64×64)
Concate6
Concate the feature map from Layer5 and Layer10
/
64×(64×64)
Layer 15
Deconvolution + BN + ReLU
16×(5×5)
16×(128×128)
Concate7
Concate the feature map from Layer6 and Layer11
/
32×(128×128)
Layer 16
Deconvolution + Sigmoid + ReLU
3×(5×5)
3×(256×256)
B. Adversarial Networks
To further improve the imperceptibility of generated image
and remove watermark information effectively, a
discriminative network D is adopted to make the appearance
and distribution of generated image similar to those of the
original image. The goal of D is to encourage that the generated
image is indistinguishable from the original image. The closer
the distribution between the generated image and the original
image is, the more likely the watermark information is to be
removed, that is, the stronger the attack ability of watermarking
attack model is. The loss function of the discriminator is defined
as follows:
~ ( ) ~ ( )
[log ( )] [log(1 ( ( )))]
o o w w
dis I p I o I p I w
D I D G I
(8)
where,
()
o
pI
and
()
w
pI
represent the distribution of original
images and watermarked images, respectively. G donates the
designed generative networks in Table Ⅰ.
C. Total Loss Function
In order to ensure that the attacked watermarked images can
retain more high-frequency information while also having
higher peak signal-to-noise ratios, the MSE loss is added to the
loss function for optimizing the model. Hence the parameters
of the entire watermarking attack network are updated by
minimizing the overall loss function, as shown below.
12total per dis mse
(9)
where
1
and
2
are the weight values for balancing the
individual objective. As the number of iterations increases, the
differences between the attacked watermarked images and the
original watermarked images are getting closer and closer.
Inspired from the empirical value in literature [36] and different
parameter values for λ are repeatedly tested. When parameter
1
is 1e-3 and
2
is 0.006, the imperceptibility of the attacked
watermarked images is numerically optimal. And the
architecture parameters of discriminative networks are shown
in Table Ⅱ. TABLE Ⅱ
THE ARCHITECTURE PARAMETERS OF DISCRIMINATIVE NETWORKS
Layer
Process
Kernels
Output size
Input
/
/
3×(256×256)
Layer1
Convolution + BN
64×(3×3)
64×(128×128)
Layer2
Convolution + BN
128×(3×3)
128×(64×64)
Layer3
Convolution + BN
256×(3×3)
256×(32×32)
Layer4
Convolution + BN
512×(3×3)
512×(16×16)
Layer5
Convolution + BN
1024×( 3×3)
1024×(8×8)
Layer6
Convolution + BN
1024×( 3×3)
1024×(4×4)
Layer7
Convolution + BN
1024×( 3×3)
1024×(2×2)
Layer8
Convolution + BN
1024×( 3×3)
1024×(1×1)
Layer9
Flatten-Dense + sigmoid
/
(1,1)
V. EXPERIMENTAL RESULTS AND ANALYSIS
A. Experimental Setups
In the experiment, training watermarking attack model with
GPU NVIDIA GeForce Tesla V100 32G in the environment of
PyTorch 1.6 and python 3.6. In order to show the comparison
more intuitively, COCO2017, DIV2K2017 and ImageNet
datasets are utilized to train the proposed model. The input and
target of watermarking attack model are watermarked images
and corresponding original images, respectively. For
optimization of generator G, Adam with betas
, 0.9,0.999
12
[ ] [ ]
is utilized. And for optimization of
discriminator D, SGD with momentum 0.9 is adopted. The
initial value of LR (learning rate) for two optimization methods
is set as 0.01, and the adjustment strategy of LR is MultiStepLR
operation. The epoch numbers for the training watermarking
attack model are set to 150.
B. Embedding Effect of Watermarking Algorithm
In the process of embedding watermark information, a binary
watermark image (present in Fig. 4) with the size of 32×32 is
embedded into the original color image with the size of 256×
256. It can be seen from Fig 3 that the watermarked images have
a high imperceptibility. And from the results in Table Ⅲ, the
SSIM (Structural Similarity) value for Lena between the
original image and the corresponding watermarked image can
be up to 0.9938 and the PSNR and SSIM average values for six
test images between original images and the corresponding
watermarked images can be up to 34.0672 and 0.9788,
respectively. The experimental results of visual quality and
quantitative evaluations show that the embedding operation of
the watermark image does not cause great damage to the
original image.
Authorized licensed use limited to: Harbin Institute of Technology. Downloaded on March 21,2022 at 00:38:33 UTC from IEEE Xplore. Restrictions apply.
1051-8215 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCSVT.2021.3138795, IEEE
Transactions on Circuits and Systems for Video Technology
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
7
Fig. 3. The watermarked images obtained by embedding watermark image
Fig. 4. The binary watermark image with the size of 32×32
To verify whether there will be interference to the extraction
of watermark information in the process of embedding and
extracting of watermark image, we calculated the BER values
of extracting watermark information from watermarked images,
as shown in the third row of Table Ⅲ. It can be seen from the
experimental results in Table Ⅲ that there is still a certain bit
error rate when the watermark information is extracted from the
un-attacked watermarked image, which indicates that the
watermark information is slightly damaged in the process of
embedding and extracting the watermarking algorithm. It
provides a benchmark quantitative evaluation for BER of
watermark information extracted from attacked watermarked
images.
TABLE Ⅲ
The PSNR and SSIM values of watermarked images, and the BER values for watermark images extracted from original watermarked images
Lena
Barbara
Peppers
Mandrill
Airplane
Sailboat
Mean
PSNR
34.3159
34.0175
33.8359
33.8796
34.3713
33.9832
34.0672
SSIM
0.9938
0.9753
0.9922
0.9864
0.9418
0.9834
0.9788
BER
0.0284
0.0292
0.0234
0.0292
0.0302
0.0263
0.0284
C. The Alteration Degree and Information Loss of Attacked
Watermarked Image
The imperceptibility of the attacked watermarked image
depends on the alteration degree and information loss. To this
end, we compared the corresponding histograms of the RGB
channels of the original watermarked image and attacked
watermarked images, and the experimental results are shown in
Fig. 5. The first row in Fig. 5 represents the histograms of the
RGB channels of the original watermarked image. The second
and third-row represent the histograms of the RGB channels of
the attacked watermarked images obtained by traditional attack
methods, such as Gaussian noise, median filter, etc. And the last
row represents the histograms of the RGB channels of the
attacked watermarked images obtained by the proposed attack
method. Compared with the traditional attack methods, the
histograms of the RGB channels of the attacked watermarked
images obtained by the proposed attack method are closer to the
original watermarked image.
To obverse the information loss of the watermarked images
before and after being attacked more intuitively, the residual
images (in Fig. 6) between the original watermarked images
and the attacked watermarked images are calculated. By
directly magnifying the pixel-wise (×5 and ×10) differences
between the original watermarked images and the attacked
watermarked images, portions of the information loss are
revealed, as shown in Fig 6. As can be seen from the
experimental results in Fig 6, compared with the traditional
attack methods, the information loss obtained by the proposed
attack method is minimal, which means that the attacked
watermarked images have better imperceptibility.
Fig. 5. The corresponding histograms of the RGB channels of the original
watermarked image and attacked watermarked images obtained by different
attack methods
Original Image Without
Watermarking
Information
Image With
Watermarking
Information
Original Image with
Watermarking
Information
R G B
Watermarked Image
Attacked by Gaussian
Noise
Watermarked Image
Attacked by Gaussian
Noise and Median Filter
Watermarked Image
Attacked by Proposed
Attack Model
Authorized licensed use limited to: Harbin Institute of Technology. Downloaded on March 21,2022 at 00:38:33 UTC from IEEE Xplore. Restrictions apply.
1051-8215 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCSVT.2021.3138795, IEEE
Transactions on Circuits and Systems for Video Technology
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
8
Fig. 6. Examples for residual images obtained between the original
watermarked images and the corresponding attacked watermarked images.
D. The Imperceptibility of Attacked Watermarked Image
1) Quantitative Evaluation
It is an important goal for the watermarking attack model to
ensure the high imperceptibility of attacked watermarked
images, that is, to reduce the distortion of the visual quality of
the attacked watermarked images as much as possible. The
malpractice of traditional watermarking attack methods
(filtering, sharpening, and combined attacks, etc.) exists since
destroying the integrity of watermarked images to make a
certain interference to the extraction of watermark information
instead of the characteristics of the watermark image are not
exploited well to make effective damage. Furthermore, the
malpractice can lead to serious distortion of the watermarked
images. To this end, the quality of the attacked watermarked
images is tested in terms of PSNR and SSIM under the
conditions of combined attack methods and single attack
methods. Table Ⅴ shows the experimental results compared
with combined attack methods. As can be seen from the
experimental results in Table Ⅴ, the attacked watermarked
images obtained by the proposed method, where the average of
SSIM value and PSNR value can be up to 0.9907 and 27.9949,
respectively. Compared with the traditional combined attack
methods, the attacked watermarked images obtained by the
proposed method have better imperceptibility.
Intuitively, since a combined attack is equivalent to a double
attack on the watermarked image, the imperceptibility of the
attacked watermarked image is bound to be seriously disturbed.
To make the experimental results more convincing, the quality
of the attacked watermarked images is tested in terms of PSNR
and SSIM under the conditions of single attack methods, as
shown in Table Ⅵ. As shown in Table Ⅵ, compared with the
attacked watermarked images obtained by signal attack
methods, the proposed method still has absolutely the
advantage in ensuring the high imperceptibility of the
attacked watermarked image.
2) Qualitative Evaluation
It is common knowledge that the ability of PSNR and MSE
to capture high texture features is limited due to the definition
restricted at the pixel level, i.e., the high PSNR and SSIM
values don’t necessarily reflect the visual quality of the attacked
images. To this end, some experimental results are compared
between the proposed attack method and some representative
benchmark methods, such as average filter, edge sharpening,
and Gaussian noise, etc. It can be concluded from the
comparison results in Fig. 7 that the attacked watermarked
obtained by the proposed attack method is most similar to the
original watermarked image, which indicates that the proposed
method can guarantee the high imperceptibility of the attacked
watermarked images.
3) Ablation Study
As shown in Table IV, the perceptual loss plays an important
role in improving the performance of our model. As we can see
from the comparable experimental results of first and second
rows in Table IV, the PSNR value and SSIM value with
perceptual loss have been improved, respectively. The
experimental results obtained by combining two loss functions
to train the model are shown in the third row in Table IV. It can
be seen that the PSNR value and SSIM value of the attacked
watermarked images are optimal in this case. Correspondingly,
the BERs obtained under different loss functions are compared,
as shown in 5th column of Table IV. As the imperceptibility of
the attacked watermarked images increases, the corresponding
BERs are getting lower and lower, which means that the attack
ability of the model decreases. This phenomenon shows that the
attack ability and the imperceptibility are in an inverse
relationship, and the optimized goal of the model is to find a
balance between the attack ability and the imperceptibility.
TABLE Ⅳ
The PSNR and SSIM values of the attacked watermarked images obtained by
combined attack methods
Perceptual Loss
MSE Loss
PSNR
SSIM
BER
25.5681
0.9284
0.2042
27.4688
0.9845
0.1547
28.3265
0.9884
0.0976
Fig. 7. The watermarked images attacked by different attack methods
E. Attack Ability
Obviously, the attack ability is also crucial to the attack
method. The traditional watermarking attack method can play a
Attacked
Watermarked Image
Original
Watermarked Image Diff Diff ×10Diff ×5
Median Filter
Gaussian Noise
Edge Sharpening
Average Filter
Gaussian Filter
Proposed Method
Original
Watermarked Image Average Filter Edge Sharpening Gaussian Noise Median Filter
Salt & Pepper Noise Rotate 90°Rotate45°+Salt &
Pepper Noise Rotate15°+Resize Proposed Method
Authorized licensed use limited to: Harbin Institute of Technology. Downloaded on March 21,2022 at 00:38:33 UTC from IEEE Xplore. Restrictions apply.
1051-8215 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCSVT.2021.3138795, IEEE
Transactions on Circuits and Systems for Video Technology
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
9
certain interference effect on the extraction of watermark
information at the premise of sacrificing the visual quality of
the watermarked image. And the attack ability is not strong due
to the limitation in failing to exploit the characteristics of the
watermark information. Fig 8 shows the compared results of
different attack methods in terms of the attack ability (BER). It
can be seen from the experimental results in Fig 8 that the
proposed attack method is superior to most traditional attack
methods (consisting of signal processing and geometric
distortion, etc.) in terms of attack capability.
TABLE Ⅴ
The PSNR and SSIM values of the attacked watermarked images obtained by combined attack methods
Attack
Method
Median filter+
Gaussian noise
JEPG70+
Salt&
pepper
noise
JEPG70+
Average filter
JEPG70+
Gaussian
noise
JEPG70+
Edge
sharpening
Proposed
Method
Lena
PSNR
19.9259
24.5030
26.8482
20.0149
20.9271
28.3291
SSIM
0.8022
0.9286
0.9653
0.8096
0.8937
0.9961
Barbara
PSNR
19.6171
24.2045
24.9647
19.8211
19.7634
28.9366
SSIM
0.5461
0.8110
0.8723
0.5823
0.7608
0.9878
Peppers
PSNR
20.1587
23.8325
25.3428
19.9042
22.3804
28.5040
SSIM
0.8280
0.9253
0.9420
0.8178
0.9187
0.9954
Mandrill
PSNR
20.1288
23.7851
23.6252
19.5709
18.2240
27.6298
SSIM
0.6893
0.8387
0.7644
0.6503
0.7161
0.9897
Airplane
PSNR
19.9611
24.0430
23.6617
19.9125
20.6602
26.1156
SSIM
0.3834
0.6976
0.9074
0.3909
0.7144
0.9823
Sailboat
PSNR
19.5962
23.3249
22.9401
19.7107
18.9093
28.4544
SSIM
0.6316
0.8378
0.8427
0.6439
0.7786
0.9931
Mean
PSNR
19.8979
23.9488
24.5637
19.8223
20.1440
27.9949
SSIM
0.6467
0.8393
0.8823
0.6491
0.7970
0.9907
TABLE Ⅵ
The PSNR and SSIM values of the attacked watermarked images obtained by signal attack methods
Attack Method
Gaussian
noise
Salt&
pepper
noise
Average
filter
Edge
sharpening
Median
filter
Rotate
90°
Translation
Proposed
method
Lena
PSNR
20.2258
25.2299
24.9014
21.4605
27.5997
11.7915
26.4274
28.3291
SSIM
0.8189
0.9405
0.9372
0.9124
0.9603
0.6134
0.9639
0.9961
Barbara
PSNR
20.1547
25.2011
24.7029
20.2357
26.4938
10.7814
25.6011
28.9366
SSIM
0.6109
0.8584
0.8258
0.8165
0.8654
0.2370
0.9168
0.9878
Peppers
PSNR
20.2939
24.9218
26.0579
23.4787
26.8780
10.7518
27.9682
28.5040
SSIM
0.8334
0.9440
0.9583
0.9473
0.9810
0.4069
0.9842
0.9954
Mandrill
PSNR
20.1288
25.3796
23.9117
18.7675
24.9623
11.2977
26.0001
27.6298
SSIM
0.6893
0.8945
0.7769
0.7695
0.8030
0.1414
0.9338
0.9897
Airplane
PSNR
20.2084
24.8227
24.2402
22.3565
25.3012
13.0189
25.3315
26.1155
SSIM
0.4074
0.7388
0.8375
0.8372
0.8330
0.2662
0.9502
0.9823
Sailboat
PSNR
20.2922
24.9620
24.8969
20.8369
24.2670
8.3802
27.5119
28.4544
SSIM
0.6496
0.8708
0.8375
0.8373
0.8724
0.0236
0.9524
0.9931
Mean
PSNR
20.2173
25.0861
24.7852
21.1893
25.9170
11.0036
26.4733
27.9949
SSIM
0.6682
0.8745
0.8622
0.8534
0.8858
0.2459
0.9502
0.9907
Authorized licensed use limited to: Harbin Institute of Technology. Downloaded on March 21,2022 at 00:38:33 UTC from IEEE Xplore. Restrictions apply.
1051-8215 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCSVT.2021.3138795, IEEE
Transactions on Circuits and Systems for Video Technology
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
10
Fig. 8. The extracted watermarked images and corresponding BER over
different attack methods
Fig. 9. The BERs of extracted watermarked images over different attack
methods
To more intuitively reflect the attack ability of the proposed
method, 25 images are randomly selected from 50 test images
and the corresponding BERs under different attack methods are
computed, as shown in Fig. 9. The extensive experimental
results in Fig. 9 show that the proposed method possesses
certain advantages in attack capabilities in comparison to the
traditional attack methods. According to specific numerical
statistics, the average BER of watermark information extracted
from 50 test images over the proposed method is 0.1024, and
the average BER of watermark information extracted from 50
test images over the combined attack method (JEPG70 + salt &
pepper noise + Gaussian noise) is 0.00762. In addition, the
average BERs of watermark information extracted from 50 test
images over the single attack method (such as median filter and
Gaussian noise) are 0.0631 and 0.0437, respectively. From the
experimental results, we conclude that the proposed method is
an effective attack for watermark information.
F. Comparison against other network-based methods
Table Ⅵ compares the numerical results of our attack model
with Geng et al [29] and FCNNDA [31]. In order to show the
comparison more intuitively, COCO2017, DIV2K2017 and
ImageNet datasets are utilized to train the proposed model. As
can be seen from Table Ⅵ, our attack model significantly
outperforms other methods in terms of the imperceptibility for
the attacked watermarked images. This is because other
methods still attack the entire watermarked images, while our
method aims to remove the watermark information, so that it
can better guarantee the integrity of the watermarked images.
Obviously, as the imperceptibility of the attacked watermarked
images increases, the corresponding BERs decrease, which
means model’s attack ability becomes weak. Note that
FCNNDA and Geng’s method can only attack gray-scale
images, which is not insistent with the processing object in this
paper. In order to synchronize the comparison results, the
dimensions are slightly modified to re-train the models. Among
them, FCNNDA attack two traditional watermarking schemes
(Spread Transform Dither Modulation (STDM) and Spread
Spectrum (SS)) and achieve good advantages such as
imperceptibility and attack ability. It can be seen from the
experimental results in Table Ⅶ that our attack model is better
than FCNNDA (In order to synchronize the comparison results,
the dimensions are slightly modified to re-train the models.).
Therefore, it can be shown from other side that our attack model
is also effective for other robust watermarking algorithms. In
addition, It can be seen from the experimental results that the
larger the training dataset, the higher the imperceptibility of the
attacked watermarked images obtained by trained attack model.
TABLE Ⅶ
The PSNR and SSIM values of the attacked watermarked images obtained by signal attack methods
Methods
DIV2K2017
COCO2017
ImageNet
PSNR
SSIM
BER
PSNR
SSIM
BER
PSNR
SSIM
BER
FCNNDA[31]
24.56
0.9664
0.2435
22.34
0.9476
0.2755
25.30
0.9690
0.2120
Geng et al.[29]
26.13
0.9798
0.2176
23.75
0.9488
0.2413
26.74
0.9821
0.1563
Proposed
27.99
0.9907
0.1086
26.67
0.9864
0.1454
28.91
0.9935
0.0962
VI. CONCLUSION
The research on watermarking technology mainly focuses on
two aspects: watermarking methods and watermarking attack
methods. Although traditional watermarking attack methods
can disturb the correct extraction of watermark information, the
great loss to the visual quality of watermarked images will be
caused. Therefore, we propose a concealed attack model for
robust watermarking. The optimized goal of the attack model is
to generate the original non-watermarked image, that is, the
watermark information can be removed without destroying the
perceptibility of the watermarked image. Compared with
traditional watermarking attack, the proposed concealed attack
has higher imperceptibility on the basis of considerable attack
effects.
The watermarking methods acting as the “defender” aim to
enhance the resistance to various attack methods, while the
attack methods acting as the “attacker” carry out various attack
on the digital watermarking system to make the “defender”
unable to correctly extract the watermark information. In recent
years, the research on digital watermarking technology has
mainly focused on the "defender" and the existing
watermarking methods can resist various attacks well. The
stagnation of the "attacker" will undoubtedly have an important
Median Filter
BER=0.0332 Gaussian Filter
BER=0.0293 Average Filter
BER=0.0400 Gaussian Noise
BER=0.1084 Salt & pepper Noise
BER=0.0400 Random Noise
BER=0.0292
JEPG70+Salt &
pepper Noise
BER=0.0605
JEPG70+Average
Filter, BER=0.0937 JEPG70+Meidan
Filter, BER=0.0654 JEPG70+Gaussian
Filter, BER=0.1298 Rotate 15°+resize
1.2, BER=0.0742 Proposed Method
BER=0.1035
Authorized licensed use limited to: Harbin Institute of Technology. Downloaded on March 21,2022 at 00:38:33 UTC from IEEE Xplore. Restrictions apply.
1051-8215 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCSVT.2021.3138795, IEEE
Transactions on Circuits and Systems for Video Technology
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
11
impact on the development of watermarking methods, and
hinder the progress of the entire watermarking field.
In future research work, we will try to apply image
enhancement technologies such as image restoration and super-
resolution to the field of watermarking attacks to further
improve the imperceptibility and attack ability of the
watermarking attack model. In addition, adversarial example
can be realized with the small changes to the image to mislead
the prediction and recognition of neural networks, so we think
it is a new possibility to introduce adversarial example to the
field of watermarking attack.
REFERENCES
[1] F. Peng, W. Jiang, Y. Qi, Z. Lin and M. Long. “Separable Robust Reversible
Watermarking in Encrypted 2D Vector Graphics,” IEEE Transactions on
Circuits and Systems for Video Technology, vol. 30, no. 8, pp. 2391-2405,
2020.
[2] X. Wang, X. Wang, B. Ma,Q. Li, Y. Shi. High Precision Error Prediction
Algorithm Based on Ridge Regression Predictor for Reversible Data
Hiding[J]. IEEE Signal Processing Letters, vol. 28, pp. 1125-1129, 2021.
[3] Z. Wu, L. Gen, Y. Yao, X Zhang. “Watermarking Neural Networks with
Watermarked Images,” IEEE Transactions on Circuits and Systems for
Video Technology, vol. 31, no. 7, pp. 2591-2601, 2021.
[4] Y. Xian, X. Wang, L. Teng. Double Parameters Fractal Sorting Matrix and
Its Application in Image Encryption[J]. IEEE Transactions on Circuits and
Systems for Video Technology, doi: 10.1109/TCSVT.2021.3108767, 2021.
[5] Z. Ma, W. Zhang, H. Fang, X. Dong, L. Geng, and N. Yu. “Local Geometric
Distortions Resilient Watermarking Scheme Based on Symmetry,” IEEE
Transactions on Circuits and Systems for Video Technology, doi:
10.1109/TCSVT.2021.3055255, 2021.
[6] S. Voloshynovskiy, S. Pereira, V. Iquise, and T. Pun. “Attack modelling:
towards a second generation watermarking benchmark,” Signal
Processing, vol. 81, no. 6, pp. 1177-1214, 2001.
[7] C. Wang, B. Ma, Z. Xia, J. Li, Q. Li and Y. -Q. Shi. Stereoscopic image
description with trinion fractional-order continuous orthogonal moments.
IEEE Transactions on Circuits and Systems for Video Technology, doi:
10.1109/TCSVT.2021.3094882, 2021
[8] G. Hua, Y. Xiang, and L. Zhang, “Informed Histogram-Based
Watermarking,” IEEE Signal Processing Letters, vol. 27, pp. 236-240,
2020.
[9] T. Zong, Y. Xiang, I. Natgunanathan, S. Guo, W. Zhou, and G. Beliakov.
“Robust histogram shape-based method for image watermarking,” IEEE
Transactions on Circuits and Systems for Video Technology, vol. 25, no. 5,
pp. 717-729, 2015.
[10] Y. Shen, C. Tang, M. Xu, M. Chen, and Z. Lei, “A DWT-SVD based
adaptive color multi-watermarking scheme for copyright protection using
AMEF and PSO-GWO,” Expert Systems with Applications, vol. 168, pp.
114414, 2021.
[11] C. Wang, X. Wang, Z. Xia, B. Ma and Y. -Q. Shi, "Image Description With
Polar Harmonic Fourier Moments," IEEE Transactions on Circuits and
Systems for Video Technology, vol. 30, no. 12, pp. 4440-4452, 2020.
[12] H. R. Shahdoosti, and M. Salehi, “Transform-based watermarking
algorithm maintaining perceptual transparency,” IET Image Processing,
vol. 12, no. 5, pp. 751-759, 2017.
[13] X. Zhang, and S. Wang, “Watermarking Scheme Capable of Resisting
Sensitivity Attack,” IEEE Signal Processing Letters, vol. 14, no. 2, pp.
125-128, 2007.
[14] K. Haribabu, G. R. K. S. Subrahmanyam, and D. Mishra, “A robust digital
image watermarking technique using auto encoder based convolutional
neural networks,” in: 2015 IEEE Workshop on Computational Intelligence:
Theories, Applications and Future Directions (WCI), Kanpur, India, 2015.
[15] J. Zhu, R. Kaplan, J. Johnson, and L. Fei-Fei, “HiDDeN: Hiding Data With
Deep Networks,” in: European Conference on Computer Vision (ECCV),
Munich, Germany, pp. 682-697, 2018.
[16] M. Ahmadi, A. Norouzi, N. Karimi, S. Samavi, and A. Emami, “ReDMark:
Framework for residual diffusion watermarking based on deep networks,”
Expert Systems with Applications, vol. 146, pp. 113157, 2020.
[17] K. Hao, G. Feng, and X. Zhang, “Robust image watermarking based on
generative adversarial network,” China Communications, vol. 17, no. 11,
pp. 131-140, 2020.
[18] J.-E. Lee, Y.-H. Seo, and D.-W. Kim, “Convolutional Neural Network-
Based Digital Image Watermarking Adaptive to the Resolution of Image
and Watermark,” Applied Sciences, vol. 10, no. 19, pp. 6854, 2020.
[19] V Licks, R Jordan. Geometric Attacks on Image Watermarking Systems[J].
IEEE Multimedia, vol. 12(3), pp.68-78, 2005.
[20] Y Wu. On the security of an SVD-based ownership watermarking[J]. IEEE
Transactions on Multimedia, vol. 7(4), pp.624-627, 2005.
[21] S H. Amiri, M. Jamzad. Robust watermarking against print and scan attack
through efficient modeling algorithm[J]. Signal Processing Image
Communication, vol. 29(10), pp.1181-1196, 2014.
[22] C. Fang, Y. Qi, P. Cheng and W. Zheng. Optimal periodic watermarking
schedule for replay attack detection in cyberphysical systems[J].
Automatica, vol. 112(108698), 2020.
[23] Y. Zhang, X. Luo, Y. Guo, C. Qin and F. Liu, "Multiple Robustness
Enhancements for Image Adaptive Steganography in Lossy Channels," in
IEEE Transactions on Circuits and Systems for Video Technology, vol. 30,
no. 8, pp. 2750-2764, 2020.
[24] F. Hartung, J. Su, and B. Girod, “Spread spectrum watermarking:
malicious attacks and counterattacks,” in: Proceedings of SPIE The
International Society for Optical Engineering, San Jose, CA, United States,
pp. 147-158, 1999.
[25] S. Voloshynovskiy, S. Pereira, V. Iquise, and T. Pun, “Attack modelling:
towards a second generation watermarking benchmark,” Signal
Processing, vol. 81, no. 6, pp. 1177-1214, 2001.
[26] A. Briassouli and M. G. Strintzis, "Optimal watermark detection under
quantization in the transform domain," in IEEE Transactions on Circuits
and Systems for Video Technology, vol. 14, no. 12, pp. 1308-1319, 2004.
[27] I. J. Cox, M. L. Miller, J. A. Bloom, and C. Honsinger, Digital
watermarking: Springer, 2002.
[28] Y Cao, K Wang, D Wang, and J Wang, “New Classification of Digital
Image Watermarking attacks,” Application Research of Computers, vol. 24,
no. 4, pp. 144-146, 2007.
[29] L. Geng, W. Zhang, H. Chen, H. Fang and N. Yu. Real-time attacks on
robust watermarking tools in the wild by CNN. Journal of Real-Time
Image Processing, vol. 17, no. 3, pp. 631-641, 2020.
[30] S. H. Nam, W. Ahn, I. J.Yu and S. M, Mun. WAN: Watermarking Attack
Network. Preprint arXiv:2008.06255, 2020.
[31] M. W. Hatoum, J. F. Couchot, R. Couturier and R. Darazi. Using Deep
learning for image watermarking attack. Signal Processing: Image
Communication, vol. 90, 116019, 2021.
[32] C. Wang, X. Wang, X. Chen and C. Zhang. Robust zero-watermarking
algorithm based on polar complex exponential transform and logistic
mapping. Multimedia Tools & Applications. vol. 76, no. 24, pp. 26355-
26376, 2017.
[33] X. Xia, X. Wang, X. Li, C. Wang, S. Unar, and M. Wang. Efficient
Copyright Protection for Three CT Images Based on Quaternion Polar
Harmonic Fourier Moments. Signal processing, vol. 164, pp. 368-
379,2019.
[34] J. Zhu, R. Kaplan, J. Johnson and F. Li. Hidden: Hiding data with deep
networks[C]//Proceedings of the European Conference on Computer
Vision (ECCV). vol. 11219, pp. 682-697,2018.
[35] M. Ahmadi, A. Norouzi, N. Karimi, S. Samavi, and A. Emami, ReDMark:
Framework for Residual Diffusion Watermarking Based on Deep
Networks, Expert Systems with Applications, vol. 146, pp. 113157, 2020.
[36] I. J. Goodfellow, J. Pouget-Abadie, M. Mirza, B, Xu, D. Warde-Farley, S.
Ozair, A. Courville and Y. Bengio. Generative Adversarial Nets, Advances
in Neural Information Processing Systems 27 (NIPS), pp. 2672-2680,
2014.
[37] J. Johnson, A. Alahi, F. Li. Perceptual Losses for Real-Time Style Transfer
and Super-Resolution[C]// European Conference on Computer Vision.
Springer, vol. 9906, pp. 694-711, 2016.
[38] F. Shiri, F. Porikli, R. Hartley, et al. Identity-Preserving Face Recovery
from Portraits[C]// 2018 IEEE Winter Conference on Applications of
Computer Vision (WACV), pp. 102-111, 2018.
[39] Z. Ji, K. Xiong, Y. Pang, X. Li. "Video Summarization With Attention-
Bsed Encoder-Decoder Networks," in IEEE Transactions on Circuits and
Systems for Video Technology, vol. 30, no. 6, pp. 1709-1717, 2020.
[40] J. Ji, R. Shi, S. Li, P. Chen and Q. Miao. " Encoder-Decoder With Cascaded
CRFs for Semantic Segmention," in IEEE Transactions on Circuits and
Systems for Video Technology, vol. 31, no. 5, pp. 1926-1938, 2021.
Authorized licensed use limited to: Harbin Institute of Technology. Downloaded on March 21,2022 at 00:38:33 UTC from IEEE Xplore. Restrictions apply.
1051-8215 (c) 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCSVT.2021.3138795, IEEE
Transactions on Circuits and Systems for Video Technology
> REPLACE THIS LINE WITH YOUR PAPER IDENTIFICATION NUMBER (DOUBLE-CLICK HERE TO EDIT) <
12
Qi Li was born in Jinan, China in 1993. He
received the B.S. degree in Computer
science and technology from Qilu
University of Technology (Shandong
Academy of Science), Jinan, China, in 2016,
and the M.S. degree in Computer
Application from Qilu University of
Technology (Shandong Academy of
Science), Jinan, China, in 2019, He is
currently pursuing the Ph.D. degree in Computer Science and
Technology from Dalian Maritime University, Dalian, China.
His research interests mainly include information hiding,
computer vision, and machine learning.
Xingyuan Wang received the B.S. degree
in applied physics from Tianjin University,
Tianjin, China, in 1987, the M.S. degree in
optics from Tianjin University, in 1992,
and the Ph.D. degree in computer software
and theory from Northeastern University,
Shenyang, China, in 1999. From 1999 to
2001, he was a post-doctoral fellow in
automation in Northeastern University.
Currently he has been a Second-level Professor with the School
of Information Science and Technology, Dalian Maritime
University, Dalian, China. He has published 6 academic
monographs and more than 590 SCI papers, with a total citation
15000 and an H-index 60 (Web of ScienceTM), 6 papers and 28
papers are respectively selected as the hot papers and highly
cited papers of the ESI. His research interests include chaos,
fractal, and complex network theory and application research.
He is ranked 2640 in the world's top 100,000 scientists (ranked
160 in China). Prof. Wang was in the top 2% of scientists 2020
in the world - China (Top 200 for Science Impact 2019), was a
highly cited researcher worldwide from 2018 to 2021. He has
applied for 27 invention patents, and has authorized 18
invention patents (15 in international and 3 in China). He won
one first prize of Natural Science of Liaoning Province (the only
complete person), and one second prize of Natural Science of
Ministry of Education (the first complete person).
Bin Ma received the M.S and Ph.D.
degrees from Shandong University, Jinan,
China, in 2005 and 2008, respectively.
From 2008 to 2013, he was an Associate
Professor with the School of Information
Science, Shandong University of Political
Science and Law, Jinan, China. He visited
the New Jersey Institute of Technology at
Newark, NJ, USA, as a Visiting Scholar
from 2013 to 2015. He is currently an Associate Professor with
the School of Information Science, Qilu University of
Technology, Shandong, China. His research interests include
reversible data hiding, multimedia security, and image
processing. He is a member of IEEE.
Xiaoyu Wang was born in Heze, China in
1994. She received the B.S. degree in
Computer science and technology from
Qilu University of Technology (Shandong
Academy of Science), Jinan, China, in 2016,
and the M.S. degree in Computer
Application from Qilu University of
Technology (Shandong Academy of
Science), Jinan, China, in 2019, He is
currently pursuing the Ph.D. degree in Computer Science and
Technology from Dalian Maritime University, Dalian, China.
Her research interests mainly include reversible data hiding,
machine vision, and image processing.
Chunpeng Wang was born in Heze, China
in 1989. He received the B.E. degree in
Computer science and technology in 2010
from Shandong Jiaotong University, China,
The M.S. degree from the School of
Computer and Information Technology,
Liaoning Normal University, China, 2013,
and the Ph.D. degree in School of
Computer Science and Technology, Dalian University of
Technology, China, 2017. He is currently a teacher with the
School of Cyber Security, Qilu University of Technology
(Shandong Academy of Science), Jinan, China. His research
interests mainly include image watermarking and signal
processing.
Suo Gao received the B.S. degree from
Shenyang Aerospace University, Shenyang,
China, in 2018, the M.S. degree from
Dalian Maritime University, Dalian, China,
in 2021. He is currently pursuing the Ph.D.
in computer science and technology with
Harbin Institute of Technology, Harbin,
China. He has published more than 10 SCI
papers, with a total citation 340, 2 papers are selected as the hot
papers and highly cited papers of the ESI. His research interests
include chaos, action segmentation, and image processing.
Yun-Qing Shi received the M.S. degree
from Shanghai Jiao Tong University,
China, and the Ph.D. degree from the
University of Pittsburgh, USA. He has
been with the New Jersey Institute of
Technology, USA, since 1987. He has
authored/co-authored more than 300
papers, one book, five book chapters, and
an Editor of ten books, three special issues, and 13 proceedings,
and holds 30 U.S. patents. His research interests include data
hiding, forensics and information assurance, visual signal
processing, and communications. He has served as an Associate
Editor of the IEEE Transactions on signal processing and the
IEEE Transactions on Circuits and Systems (Ⅱ). He serves as
an Associate Editor of the IEEE Transactions on Information
Forensics and Security, and an Editor Board Member of a few
journals.
Authorized licensed use limited to: Harbin Institute of Technology. Downloaded on March 21,2022 at 00:38:33 UTC from IEEE Xplore. Restrictions apply.
