540 likes | 571 Views
Cocktail Watermarking for Digital Image Protection. IEEE Transactions on Multimedia, C. S. Lu, S. K. Huang, C, J. Sze, and Mark Liao Institute of Information Science Academia Sinica, Taiwan. Motivation. What kind of things that a thief won’t steal? The degree of difficulty is high?
E N D
Cocktail Watermarking for Digital Image Protection IEEE Transactions on Multimedia, C. S. Lu, S. K. Huang, C, J. Sze, and Mark Liao Institute of Information Science Academia Sinica, Taiwan
Motivation • What kind of things that a thief won’t steal? • The degree of difficulty is high? • Will get hurt in the action? • Intended objects will be destroyed once they are out of the original place?
Cox’s Method • Add watermark • Step 1:FDCT (Forward Discrete Cosine Transform) and select the largest n coefficients in magnitude. • Step 2:Generate nN(0, 1) noises. • Step 3:Embedding based on: • Step 4:IDCT (Inverse Discrete CosineTransform) • Result
Cox’s Method (conti.) • Extract watermark • Step 1: FDCT of the original image and image in question. • Step 2: Select the largest coefficients in magnitude from both images. • Step 3: Invert the embedding process. • Step 4: Similarity • Result
Host and Watermarked Image by Cox et al. (conti.) • Example 1: n = 2232 Host image Watermarked image PSNR=34.87
Host and Watermarked Image by Cox et al. (conti.) • Example 2: n = 2232 Host image Watermarked image PSNR=36.21
Result by Cox et al. (conti.) • Attacks:
Result by Cox et al. (conti.) • Detector response w.r.t. different attacks: • Lena: maximum (n = 2232): 45.5
Result by Cox et al. (conti.) • Detector response w.r.t. different attacks: • Kids: maximum (n = 2232): 45.4
傳統的方法(I) • NEC Approach • Largest 1000 AC coefficients global DCT 256 256 (+1250, -1006, -989, …, +30)
傳統的方法(II) • Random Modulation: Modu(+,+),Modu(-,-),Modu(+,-),Modu(-,+) Gaussian(0,1) magnitude +1250 +0.5 (+,+) -1006 +0.2 (-,+) -989 -0.3 (-,-) +885 -0.2 (+,-) +30 -0.1 (+,-)
攻擊的作用 • 通常攻擊(attacks)的作用 • 改變coefficients的magnitude • original watermarked image 靠 運 氣 ? Attack #2 Attack #1 coeff.1 coeff.2 coeff.3 coeff.4 coeff.1000 800 pairs matched detector response 0.8 150 pairs matched detector response 0.2
攻擊的分類 • Attacks that increase the magnitude of most transform coefficient • Sharpening, histogram equalization, edge-enhancing… • Attacks that decrease the magnitude of most transform coefficient • Blurring, compression…
傳統的方法(IV) • 缺點 • 人人可藏浮水印進入多媒體資料,但人人缺少理論基礎來證明robustness
雞尾酒式浮水印技術(I) • 緣起:民國88年1月底(2000.10 digibits) • 想法:可不可能放入多於一個浮水印,使其產生互補功能,藉以抵擋各種功能迥異的攻擊 • 實驗完成:民國88年3月27日 • 作法: Positive modulation (增加magnitude) Negative modulation (降低magnitude) 加 加 遇 + - 遇 + + 加 加 遇 - + 遇 - -
雞尾酒式浮水印技術(IV) • W(i)= bipolar(Tm(x,y)-T(x,y)) • We(i)=bipolar(Ta(x,y)-T(x,y)) =bipolar((Ta(x,y)-Tm(x,y))+ (Tm(x,y)-T(x,y))) =bipolar(Beta1+Beta2) • To obtain a higher detection, We(i) and W(i) should have the same sign. • Beta1 and Beta2 has the same sign • The influence of Beta1<the influence of Beta2 Complementary modulation JND
Complementary Modulation • The proposed scheme embeds two watermarks, each of them playing complementing roles in resisting various kinds of attacks. • Values of the two watermarks are drawn from the same watermark sequence. However, they are embedded using different modulation rules • Positive modulation • Negative modulation
雞尾酒式浮水印技術(II) • 例子: positive modulation increase magnitude attack +1250 +0.5 -1006 -0.3 -989 -0.3 +885 +0.2 +30 +0.1 830 matched, 170 not matched -> detector response 0.66
雞尾酒式浮水印技術(III) • 例子: negative modulation decrease magnitude attack +1250 -0.3 -1006 +0.1 -989 +0.2 +885 -0.3 +30 -0.1 220 matched, 780 not matched -> detector response -0.56
雞尾酒式浮水印技術(V) • 最厲害的攻擊(50% - 50%攻擊) • 1000 coefficients depends on ‘’images’’ • ill-posed 剛好讓 50% coefficients 讓 50% coefficients worst case: lowest detector response
實驗結果 • 32種不同攻擊後的結果 • 互補效應的驗證 • 用可辨識的pattern為例 • notebook 展示 • Detector response vs. 漸差的影像品質 • Detector response vs. 漸增的壓縮倍數 • Combined attack • Probabilities of False positive and False negative
Categories of Attacks (I) • Waveform attacks -- to impair the embedded watermark by manipulations of the whole watermarked media • Linear filtering, non-linear filtering, waveform-based compression (JPEG, EZW), addition of noise,…,etc • Detection-disabling attacks-- to break the correlation and to make the recovery of the watermarking impossible • Shear, pixel permutations sub-sampling, and other geometric distortions (Stir Mark, unZign)
Waveform attacks (I) • Blurring (27.79/35.64) • high-frequency components are deleted
Waveform attacks (II) • Sharpening (24.56/35.64) • high-frequency components are enhanced
Waveform attacks (III) • JPEG compression (19.38/35.64) • quality factor 5% • severe blocky effects
Waveform attacks (IV) • Embedding zero wavelet compression (23.66/35.64) • compression ratio 64:1 (SPIHT) • all wavelet coefficients are reduced
Detection-disabling attacks (I) • Jitter (13.36/35.64) • with 4 pairs of columns deleted and duplicated • raising asynchronous phenomena
Detection-disabling attacks (II) • StirMark (17.73/35.64) • all default parameters • non-linear operations • raising asynchronous phenomena
StirMark Attack Digimac, SysCoP, JK_PGS,EikonaMark, Signnum, etc. are successfully destroyed
Benchmark Tool: StirMark Apply minor geometric distortion • Stretching, shearing, shifting and rotation • Simulate printing/scanning process • Use ‘sinc’ for reconstruction function
Detection-disabling attacks (III) • Rotation (14.28/35.64) • registration problem
Detection-disabling attacks (IV) • Shear (13.73/35.64) • significant distortion
Categories of Attacks (II) • Interpretation attacks – to confuse by producing fake host media or fake watermark deadlock problem • Removal attacks – to analyze the watermarked data and discard only the watermark collusion attacks, non-linear filter operations
Interpretation Attack (I) Alice Bob original faked - + watermarked image original watermark faked watermark
Removal attacks (I) • Collusion attack (34.39/35.64) • 4 watermarked images hidden with 4 different watermarks are averaged
Attacked Watermarked Images host image watermarked image blurring median filtering rescaling sharpening 34.5 dB (15X15) 128X128 (11X11) histo. equalization dithering JPEG EZW StirMark StirMark+Rot180 (5%) (64:1) StirMark (5) jitter (5) flip bright/contrast Gaussian noise texturier
Attacked Watermarked Images host image watermarked image diff. clouds diffuse dust extrude 34.5 dB 128X128 facet halftone mosaic motion blurring patchwork photocopy pimch ripple shear smart blurring thresholding (96) twirl
Detection Result of Noise-style Watermark for the Tiger Image
Result of Our Method (conti.) Sharpening 75% Sharpening 85% Dithering Stirmark Negative Positive
Result of Our Method (conti.) 5 Stirmark Oil Painting Embossing DeSpeckle Negative Positive
Result of Our Method (conti.) Pixelization Equalization Rotation Rotation Negative Positive
Single-type Attack (Gaussian blurring) with decreasing qualities 3x3 15x15 31x31 The tiger image 128x128 in size is watermarked
Single-type Attack (SPIHT) with increasing compression ratios 4:1 512:1 The tiger image 128x128 in size is watermarked
Combined Attack (Repeated Attack) Attacks are composed of blurring (B) and histogram equalization (H) B BHB BHBH BH
Probability of False Negative P1 0.5 0.6 0.61 0.62 0.65 0.7 T 1 0.15 1 0.2 Probability of False Positive P1 0.5 T 0.15 0.2
商業用途 • 防篡改 • 照相機 • 錄音機 • 錄影機 • 監視器 Cocktail watermarking with sensors