Ambiguity Attacks Research Articles

Protecting copyright of stable diffusion models from ambiguity attacks

In recent years, the stable diffusion models (SDMs) have been widely used in text-to-image generative tasks, and their copyright protection problem has been concerned by scholars. The model owners can embed watermarks into SDMs by fine-tuning them, and use the prompt-watermark pair to complete model ownership authentication. However, the attackers can obfuscate model ownership by forging the relationship between the fake prompt and the watermark image. Therefore, this paper proposes a black-box copyright protection method for SDMs, which can effectively resist watermark ambiguity attacks. Specifically, we adopt an irreversible watermarking technology to complete watermark embedding. The hash function is used to ensure the unidirectional irreversible generation of the trigger prompts using the secret key. Then, the trigger set consisting of trigger prompts and watermarks is used to fine-tune the SDMs to embed the watermarks. Without the secret key, it is not possible for the attackers to reverse build the specific prompts with internal associations. Experiments show that our method can protect the copyright of SDMs effectively and resist ambiguity attacks without the model performance degradation.

Unambiguous and High-Fidelity Backdoor Watermarking for Deep Neural Networks.

The unprecedented success of deep learning could not be achieved without the synergy of big data, computing power, and human knowledge, among which none is free. This calls for the copyright protection of deep neural networks (DNNs), which has been tackled via DNN watermarking. Due to the special structure of DNNs, backdoor watermarks have been one of the popular solutions. In this article, we first present a big picture of DNN watermarking scenarios with rigorous definitions unifying the black- and white-box concepts across watermark embedding, attack, and verification phases. Then, from the perspective of data diversity, especially adversarial and open set examples overlooked in the existing works, we rigorously reveal the vulnerability of backdoor watermarks against black-box ambiguity attacks. To solve this problem, we propose an unambiguous backdoor watermarking scheme via the design of deterministically dependent trigger samples and labels, showing that the cost of ambiguity attacks will increase from the existing linear complexity to exponential complexity. Furthermore, noting that the existing definition of backdoor fidelity is solely concerned with classification accuracy, we propose to more rigorously evaluate fidelity via examining training data feature distributions and decision boundaries before and after backdoor embedding. Incorporating the proposed prototype guided regularizer (PGR) and fine-tune all layers (FTAL) strategy, we show that backdoor fidelity can be substantially improved. Experimental results using two versions of the basic ResNet18, advanced wide residual network (WRN28_10) and EfficientNet-B0, on MNIST, CIFAR-10, CIFAR-100, and FOOD-101 classification tasks, respectively, illustrate the advantages of the proposed method.

Ambiguity attack against text-to-image diffusion model watermarking

In recent years, the text-to-image diffusion models have achieved excellent performance. Among them, stable diffusion models (SDMs) have become one of the most widely used models because of their excellent performance. Scholars have proposed many model watermarking techniques to protect the copyright of the text-to-image diffusion models. In order to measure the security and potential risks of the existing text-to-image diffusion model watermarking techniques, an ambiguity attack against the text-to-image diffusion model watermarking is proposed for the first time in this paper. Specifically, we take the SDMs as an example, take advantage of the reversibility of the model watermarking and combine the ideas of adversarial examples and discrete prompt optimization to re-embed a forged watermark in the watermarked SDMs, thus confounding the watermark containing copyright information. A large number of experiments show that our ambiguity attack is effective and can make the original watermark lose its uniqueness without changing the watermarked text-to-image diffusion models.

Ambiguity attacks on the digital image watermarking using discrete wavelet transform and singular value decomposition

Ambiguity attacks on the digital image watermarking using discrete wavelet transform and singular value decomposition

Watermarking in Secure Federated Learning: A Verification Framework Based on Client-Side Backdooring

Federated learning (FL) allows multiple participants to collaboratively build deep learning (DL) models without directly sharing data. Consequently, the issue of copyright protection in FL becomes important since unreliable participants may gain access to the jointly trained model. Application of homomorphic encryption (HE) in a secure FL framework prevents the central server from accessing plaintext models. Thus, it is no longer feasible to embed the watermark at the central server using existing watermarking schemes. In this article, we propose a novel client-side FL watermarking scheme to tackle the copyright protection issue in secure FL with HE. To the best of our knowledge, it is the first scheme to embed the watermark to models under a secure FL environment. We design a black-box watermarking scheme based on client-side backdooring to embed a pre-designed trigger set into an FL model by a gradient-enhanced embedding method. Additionally, we propose a trigger set construction mechanism to ensure that the watermark cannot be forged. Experimental results demonstrate that our proposed scheme delivers outstanding protection performance and robustness against various watermark removal attacks and ambiguity attack.

DeepIPR: Deep Neural Network Ownership Verification With Passports.

With substantial amount of time, resources and human (team) efforts invested to explore and develop successful deep neural networks (DNN), there emerges an urgent need to protect these inventions from being illegally copied, redistributed, or abused without respecting the intellectual properties of legitimate owners. Following recent progresses along this line, we investigate a number of watermark-based DNN ownership verification methods in the face of ambiguity attacks, which aim to cast doubts on the ownership verification by forging counterfeit watermarks. It is shown that ambiguity attacks pose serious threats to existing DNN watermarking methods. As remedies to the above-mentioned loophole, this paper proposes novel passport-based DNN ownership verification schemes which are both robust to network modifications and resilient to ambiguity attacks. The gist of embedding digital passports is to design and train DNN models in a way such that, the DNN inference performance of an original task will be significantly deteriorated due to forged passports. In other words, genuine passports are not only verified by looking for the predefined signatures, but also reasserted by the unyielding DNN model inference performances. Extensive experimental results justify the effectiveness of the proposed passport-based DNN ownership verification schemes. Code is available at https://github.com/kamwoh/DeepIPR.

Protect, show, attend and tell: Empowering image captioning models with ownership protection

By and large, existing Intellectual Property (IP) protection on deep neural networks typically i) focus on image classification task only, and ii) follow a standard digital watermarking framework that was conventionally used to protect the ownership of multimedia and video content. This paper demonstrates that the current digital watermarking framework is insufficient to protect image captioning tasks that are often regarded as one of the frontiers AI problems. As a remedy, this paper studies and proposes two different embedding schemes in the hidden memory state of a recurrent neural network to protect the image captioning model. From empirical points, we prove that a forged key will yield an unusable image captioning model, defeating the purpose of infringement. To the best of our knowledge, this work is the first to propose ownership protection on image captioning task. Also, extensive experiments show that the proposed method does not compromise the original image captioning performance on all common captioning metrics on Flickr30k and MS-COCO datasets, and at the same time it is able to withstand both removal and ambiguity attacks. Code is available at https://github.com/jianhanlim/ipr-imagecaptioning

RST invariant blind image watermarking schemes based on Discrete Tchebichef Transform and Singular Value Decomposition

This paper presents a new rotation, scale and translation (RST) invariant blind watermarking algorithm that combines Discrete Tchebichef Transform (DTT) with a Singular Value Decomposition (SVD) scheme. The proposed method overcomes false-positive problem, and diagonal line problem in the extracted watermark. The DTT coefficients of the image are arranged in a wavelet-like hierarchical subband scheme which generates LL (approximation), HL (vertical), LH (horizontal) and HH (diagonal) subbands. SVD is applied to all DTT subbands in order to decompose it into lower triangular, diagonal and upper triangular components. After applying SVD, the principal components of the watermark are embedded into the diagonal components of each DTT subband using appropriate scale factors. Further improve of robustness is achieved due to the combination of Arnold Transform and permutation operation which scrambles the watermark. Embedding the principal component rather than diagonal component of the watermark makes the algorithm robust to false-positive and ambiguity attacks. The visible diagonal line problem in the extracted watermark is also successively eliminated due to the embedment of principal components of watermark rather than the watermark. In addition to this, our scheme shows better robustness to most of the signal processing attacks. A suitable reverse process is applied to extract the watermark at the decoder output. The proposed method is also combined with Scale-Invariant Feature Transform (SIFT) at the output stage of the encoder. Applying SIFT in the proposed method, the geometrical attacks such as rotation, scale and translation can be restored back using the feature mapping process at the decoder input. Finally, the watermark can be recovered by applying extraction algorithm. Simulation on various kinds of standard test images demonstrated that the proposed methods show a better trade-off against imperceptibility and robustness to common attacks, geometrical attacks as well as combined attacks.

RST Invariant Blind Image Watermarking Schemes Based on Discrete Tchebichef Transform and Singular Value Decomposition

This paper presents a new rotation, scale and translation invariant blind watermarking algorithm that combines discrete Tchebichef transform (DTT) with a singular value decomposition (SVD) scheme. The proposed method overcomes false-positive problem, and diagonal line problem in the extracted watermark. The DTT coefficients of the image are arranged in a wavelet-like hierarchical sub-band scheme which generates LL (approximation), HL (vertical), LH (horizontal) and HH (diagonal) sub-bands. SVD is applied to all DTT sub-bands in order to decompose it into lower triangular, diagonal and upper triangular components. After applying SVD, the principal components of the watermark are embedded into the diagonal components of each DTT sub-band using appropriate scale factor. Further improvement of robustness is achieved due to the combination of Arnold transform and permutation operation which scrambles the watermark. Embedding the principal component rather than diagonal component of the watermark makes the algorithm robust to false-positive and ambiguity attacks. The visible diagonal line problem in the extracted watermark is also successively eliminated due to the embedment of principal components of watermark rather than the watermark. In addition to this, our scheme shows better robustness to most of the signal processing attacks. A suitable reverse process is applied to extract the watermark at the decoder output. The proposed method is also combined with scale-invariant feature transform (SIFT) at the output stage of the encoder. The geometrical attacks such as rotation, scale and translation are restored back using the feature mapping process owing to SIFT at the decoder input. Finally, the watermark can be recovered by applying extraction algorithm at the decoder output. Simulation on various kinds of standard test images demonstrated that the proposed methods shows a better trade-off against imperceptibility and robustness to common attacks, geometrical attacks as well as combined attacks.

Cover dependent watermarking against ambiguity attacks

Abstract Digital Image Watermarking using Singular Value Decomposition has a fundamental flaw of false watermark generation when Singular Values of the watermark are embedded into the cover. The proposed work embeds Principal Components of two watermarks instead, to overcome this flaw. These watermarks are embedded into horizontal and vertical sub-band coefficients of 3-level DWT of the cover respectively. Keys based on cover and watermarks are generated and used for cover and watermark verification during extraction. The proposed technique is secure because knowing the keys merely is not sufficient to extract the two watermarks. Correct combination of keys with the respective 3-level DWT coefficients is required. The work is proved to be robust against false watermark generation, false cover claim and general image processing attacks together with high imperceptibility. Colour images are used in HSV colour model and Value plane is used for embedding the watermark.

Ambiguity attacks on SVD audio watermarking approach using chaotic encrypted images

In this paper, we study the robustness of the proposed watermarking algorithm by Al-Nuaimy et al. (Digit Signal Process 21(6):764–779 2011) for audio signals which is based on singular value decomposition (SVD). It has been concluded that it is fundamentally flawed in its design, in that it falls to two ambiguity attacks where the extracted watermark is not the embedded one but determined by the reference watermark. In the first attack, when a watermarked audio signal is rewatermarked by an attacker’s watermark, this one can be easily extracted to claim ownership of the original audio signal. In the second attack, during the extracting process when an attacker uses the singular vectors of his watermark, he can extract the attacker’s watermark. Therefore, he can claim ownership of the watermarked audio signal. The experimental results prove that the proposed attacks create a false positive detection in watermark extraction. Therefore, Al-Nuaimy et al. algorithm cannot be used for security systems, data hiding and copyright protection.

Hybrid secure and robust image watermarking scheme based on SVD and sharp frequency localized contourlet transform

In this paper, using singular value decomposition (SVD) and sharp frequency localized contourlet transform (SFLCT) a secure and robust image watermarking procedure is introduced. The SVD and SFLCT are applied on both watermark and original images and using the properties of the SVD and utilizing the advantages of the SFLCT, noticeable results of the watermarking requirements are obtained. Since most of the SVD based watermarking schemes are not resistant against ambiguity attacks and suffer from the false positive problem, this objection is resolved without adding extra steps to the watermarking algorithm and the suggested scheme is secure and resistant against ambiguity attacks. The simulation of the scheme is implemented and its robustness against various types of attacks is experimented. In comparison with some of the recent schemes this procedure shows high imperceptibility, capacity and robustness and these features make the scheme a suitable choice for the image processing applications.

Ambiguity attacks on robust blind image watermarking scheme based on redundant discrete wavelet transform and singular value decomposition

Among emergent applications of digital watermarking are copyright protection and proof of ownership. Recently, Makbol and Khoo (2013) have proposed for these applications a new robust blind image watermarking scheme based on the redundant discrete wavelet transform (RDWT) and the singular value decomposition (SVD). In this paper, we present two ambiguity attacks on this algorithm that have shown that this algorithm fails when used to provide robustness applications like owner identification, proof of ownership, and transaction tracking.

Ambiguity Attack on the Integrity of a Genuine Picture by Producing Another Picture Immune to Generic Digital Forensic Test

Ambiguity Attack on the Integrity of a Genuine Picture by Producing Another Picture Immune to Generic Digital Forensic Test

Inversion attack resilient zero‐watermarking scheme for medical image authentication

Medical images are watermarked with patient data to enforce patient authentication and identification in radiology practices. In addition to common threats such as signal processing and geometric attacks, medical image watermarking systems are susceptible to a new class of threats called ‘inversion attack’, leading to ambiguities in establishing rightful ownership. This study presents an ‘inversion attack’ resilient zero-watermarking system, in the hybrid Contourlet transform – singular value decomposition domain for medical image authentication. This scheme preserves the fidelity of the host image without introducing any artefacts and employs triangular number generating function and Hu's image invariants to confront ‘inversion attacks’. The performance of the system is evaluated with medical images of different modalities and a quick response code watermark that contains patient data. The experimental results demonstrate the robustness of the system against ‘ambiguity attacks’ and signify its appropriateness for secured medical image exchange between remote radiologists.

Verifiable Text Watermarking Detection to Improve Security

Digital watermarking technology plays an important role in the areas of copyright protection and identity tracing for owners of digital mediums. At present, the security of the watermarking scheme is facing a great threat. The security of a digital watermarking scheme must not depend on the scheme being kept secret. Zero knowledge-based watermark detection scheme (ZKWD) can achieve this aim. For ZKWD scheme, an owner can provide prove to a verifier that a digital medium in question indeed contains the owner’s watermark information without revealing any secret key and watermark-related information. However, the existing ZKWD protocols are still facing some challenging problems, such as ambiguity attacks. In this paper, a public ZKWD protocol is proposed for plain text, and the homomorphic property of asymmetric encryption algorithm in the multiplication operation is used to prevent the owner from cheating by ambiguity attacks. Compared with existing methods, the security of our proposed ZKWD scheme is improved by using the improved feature extraction algorithm.

Blind Watermarking of Color Images Using Karhunen-Loeve Transform Keying

This paper presents a method for blind digital watermarking of color images. The proposed scheme performs a decorrelation of the RGB color bands of the image to be watermarked using a Karhunen–Loeve transform (KLT), then marks the coefficients of the KLT of the first band obtained. The novelty of the method resides in the fact that the KLT basis images used for the transforms are not related to the image being marked, but are from an image taken as the secret key used throughout the scheme. The watermarking of the chosen KLT coefficients is performed using an i.i.d. Gaussian sequence. The method shows good robustness to attacks and signal processing operations, in particular to JPEG compression, filtering, resampling and noise addition, maintaining at the same time a high image quality. In addition, the scheme is secure against protocol attacks such as copy attack and ambiguity attack.

Parsing ambiguities in authentication and key establishment protocols

A new class of attacks against authentication and authenticated key establishment protocols is described, which we call parsing ambiguity attacks. If appropriate precautions are not deployed, these attacks apply to a very wide range of such protocols, including those specified in a number of international standards. Three example attacks are described in detail, and possible generalisations are also outlined. Finally, possible countermeasures are given, as are recommendations for modifications to the relevant standards.

Non-ambiguity of blind watermarking: a revisit with analytical resolution

Resistance to ambiguity attack is an important requirement for a secure digital rights management (DRM) system. In this paper, we revisit the non-ambiguity of a blind watermarking based on the computational indistinguishability between pseudo random sequence generator (PRSG) sequence ensemble and truly random sequence ensemble. Ambiguity attacker on a watermarking scheme, which uses a PRSG sequence as watermark, is viewed as an attacker who tries to attack a noisy PRSG sequence. We propose and prove the security theorem for binary noisy PRSG sequence and security theorem for general noisy PRSG sequence. It is shown that with the proper choice of the detection threshold Th = a√n (a is a normalized detection threshold; n is the length of a PRSG sequence) and n ⩾ 1.39 × m/a2 (m is the key length), the success probability of an ambiguity attack and the missed detection probability can both be made negligibly small thus non-ambiguity and robustness can be achieved simultaneously for both practical quantization-based and blind spread spectrum (SS) watermarking schemes. These analytical resolutions may be used in designing practical non-invertible watermarking schemes and measuring the non-ambiguity of the schemes.

A new robust reference watermarking scheme based on DWT-SVD

This paper presents a new semi-blind reference watermarking scheme based on discrete wavelet transform(DWT) and singular value decomposition(SVD) for copyright protection and authenticity. We are using a gray scale logo image as watermark instead of randomly generated Gaussian noise type watermark. For watermark embedding, the original image is transformed into wavelet domain and a reference sub-image is formed using directive contrast and wavelet coefficients. We embed watermark into reference image by modifying the singular values of reference image using the singular values of the watermark. A reliable watermark extraction scheme is developed for the extraction of watermark from distorted image. Experimental evaluation demonstrates that the proposed scheme is able to withstand a variety of attacks. We show that the proposed scheme also stands with the ambiguity attack also.