Watermark AttacksOutlineIntroductionSlide 4Assumptions about AttackersAttack CategoriesGeneral CounterattacksSlide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 201Watermark AttacksENEE 739M S’02ENEE739M Multimedia Comm. & Info. Security(S’02) Watermark Attack 2/26Hong Zhao®Min Wu2OutlineIntroductionDifferent Watermarks for Different ApplicationsAssumptions about AttackersGeneral Descriptions of Attack and CounterattackSome Representative AttacksSummaryENEE739M Multimedia Comm. & Info. Security(S’02) Watermark Attack 2/263IntroductionWhy do we need to study attacks?–Identify weakness–Propose improvement–Study effects of current technology on watermarkAn example of legitimate tools used as attacksENEE739M Multimedia Comm. & Info. Security(S’02) Watermark Attack 2/26To win each campaign, a general needs to know both his troop and the opponent’s as well as possible.-- Sun Tzn, The Art of War, 500 BCFrom Min Wu’s UMCP ECEGSA Faculty Seminar 10/12/01 ®Min Wuedge estimationedge-directed interpolation JPEG 10% w/o distort Interp. w/ orig 34.96 138.51 6.30 w/o orig 12.40 19.32 4.52 512x512 lenna Threshold: 3 ~ 64Watermarks for Different ApplicationsRobust Watermark–Applications: Copy Control, Evidence of Ownership, Fingerprinting–Requirement of Robust Watermark:•The watermark can still be detected even after severe processing–Attacker’s goal against Robust Watermark•Make the detector unable to detect the watermark while keeping the perceptual qualityFragile Watermark–Applications: multimedia authentication–Requirement of Fragile Watermark•Determine if the Work* (watermarked MM data) has been changed•It’s difficult for an unauthorized person to insert a valid watermark–Attacker’s goal against Fragile Watermark•Make the watermark still valid after alteration of Work•Generate a valid Work for new dataENEE739M Multimedia Comm. & Info. Security(S’02) Watermark Attack 2/265Assumptions about AttackersAttacker knows nothing–uses general weakness of watermarking schemesAttacker has more than one watermarked work (Collusion Attack)–different host data watermarked w/ the same watermark–same host data watermarked w/ different watermarksAttacker knows the algorithm (Mostly widely used assumption)–exploits specific weakness of the algorithm–secrecy depends not on the algorithm but the key(s) usedAttacker has access to the detector as an oracle (black box)–sensitivity analysis attack/gradient descent attackENEE739M Multimedia Comm. & Info. Security(S’02) Watermark Attack 2/266Attack CategoriesUnauthorized Embedding: (Attack against fragile watermark)–Forges a valid watermarked Work for new host data–Copy blocks of valid Work without understanding the contentUnauthorized Detection (terminology in Cox book)–Decode the watermark content: •Electronic medical files watermarked with patients’ ID–Detect the existence of a watermark: •Detectors are limited to few people for security/profit reasonsUnauthorized Removal–Elimination attack: removes the watermark, no one can detect it–Masking attack: watermark is still there, a smart detector can detect itSystem Attack–Exploit the weakness of how the watermark is used •Remove the watermark detector in the DVD copy machineENEE739M Multimedia Comm. & Info. Security(S’02) Watermark Attack 2/267General CounterattacksPreventing Unauthorized Embedding (for MM Data Authentication Purpose)–Use cryptographic tools or digital signature to prevent forging–Copy attack: let the watermark be host data dependentPreventing Unauthorized Detection–Decoding content: encrypt watermark before embedding–Detecting watermark existence: currently hard to counterattackPreventing Unauthorized Removal–Depends on specific attacksENEE739M Multimedia Comm. & Info. Security(S’02) Watermark Attack 2/268Representative AttacksScrambling AttackPathological DistortionsCopy AttackAmbiguity AttackSensitivity Analysis Attack and Gradient Descendent AttackCollusion AttackENEE739M Multimedia Comm. & Info. Security(S’02) Watermark Attack 2/269Scrambling AttackScrambling Attack–Attack automated copy control watermarks; general attack–Watermark is still in the data, “By-Pass” the detector–Samples of a Work are scrambled prior to presentation to a watermark detector and de-scrambled later.Mosaic Attack on Web Crawler [Petitcolas]–A Work is broken into many small patches, each too small for reliable detection.–Demo software: 2Mosaic 0.2.2 for Microsoft Windows 95/98/NT–Example Counterattack against Mosaic Attack:–Decrease the minimum required size for robust watermark embeddingENEE739M Multimedia Comm. & Info. Security(S’02) Watermark Attack 2/2610Synchronization AttackWatermark is still in the Work, but detector can’t detect it–Against ownership protection, copy control; general attacks–Most watermarking schemes are sensitive to synchronization lossStirMark Attack [Petitcolas]–Source Code StirMark1.0 and ExampleCounterattack:–Attach a registration pattern–Do image registration before detection if original image available–Embed watermark in the transform (e.g., RST) invariant domainENEE739M Multimedia Comm. & Info. Security(S’02) Watermark Attack 2/26From [Petitcolas]11StirMark AttackENEE739M Multimedia Comm. & Info. Security(S’02) Watermark Attack 2/26Original Watermarked Work After StirMark Attack Detector Output: 94.6641 Detector Output: 1.764412Linear Filtering and Noise RemovalAgainst additive independent (wmk and host) robust watermarks–Watermark Estimation by [Langelaar]–Host Data Estimation by [Kutter]•ML Estimation (No Prior on Image)–Local Mean for Gaussian Watermark –Local Median for Laplacian watermark•MAP Estimation ( with Prior on Image)–Wiener Filter for Gaussian watermark, Gaussian image–Soft-Shrinkage for Gaussian watermark, Laplacian image–Iterative RLS solution for Gaussian watermark, generalized G. imageCounterattacks–[Su] Фww=Фuu (бw/бu)2 is the most robust against wiener filtering attack on additive independent watermarking schemesENEE739M Multimedia Comm. & Info. Security(S’02) Watermark Attack 2/263*3 Median Filter3*3 HPFTruncate to [-2 2]AW-++-13Copy Attack (Attack on Fragile WM)Assume the attacker knows the embedding algorithmForge a Valid Watermark