Watermark Attack - Electrical and Computer Engineering
Download
Report
Transcript Watermark Attack - Electrical and Computer Engineering
ENEE 739M S’02
Watermark Attacks
Hong Zhao
ENEE739M Multimedia Comm. & Info. Security(S’02)
®Min Wu
Watermark Attack 2/26
1
Outline
Introduction
Different Watermarks for Different Applications
Assumptions about Attackers
General Descriptions of Attack and Counterattack
Some Representative Attacks
Summary
ENEE739M Multimedia Comm. & Info. Security(S’02)
Watermark Attack 2/26
2
Introduction
Why do we need to study attacks?
To win each campaign, a
general needs to know both
his troop and the opponent’s
as well as possible.
-- Sun Tzn, The Art of War, 500 BC
– Identify weakness
– Propose improvement
– Study effects of current technology on watermark
®Min Wu
An example of legitimate tools used as attacks
JPEG 10%
w/ orig
w/o orig
34.96
12.40
w/o distort
edge
138.51
estimation
19.32
Interp.
6.30edge-directed
interpolation
4.52 512x512 lenna
Threshold: 3 ~ 6
From Min Wu’s UMCP ECEGSA Faculty Seminar 10/12/01
ENEE739M Multimedia Comm. & Info. Security(S’02)
Watermark Attack 2/26
3
Watermarks for Different Applications
Robust Watermark
– Applications: Copy Control, Evidence of Ownership, Fingerprinting
– Requirement of Robust Watermark:
• The watermark can still be detected even after severe processing
– Attacker’s goal against Robust Watermark
• Make the detector unable to detect the watermark while keeping the
perceptual quality
Fragile Watermark
– Applications: multimedia authentication
– Requirement of Fragile Watermark
• Determine if the Work* (watermarked MM data) has been changed
• It’s difficult for an unauthorized person to insert a valid watermark
– Attacker’s goal against Fragile Watermark
• Make the watermark still valid after alteration of Work
• Generate a valid Work for new data
ENEE739M Multimedia Comm. & Info. Security(S’02)
Watermark Attack 2/26
4
Assumptions about Attackers
Attacker knows nothing
– uses general weakness of watermarking schemes
Attacker has more than one watermarked work (Collusion Attack)
– different host data watermarked w/ the same watermark
– same host data watermarked w/ different watermarks
Attacker knows the algorithm (Mostly widely used assumption)
– exploits specific weakness of the algorithm
– secrecy depends not on the algorithm but the key(s) used
Attacker has access to the detector as an oracle (black box)
– sensitivity analysis attack/gradient descent attack
ENEE739M Multimedia Comm. & Info. Security(S’02)
Watermark Attack 2/26
5
Attack Categories
Unauthorized Embedding: (Attack against fragile watermark)
– Forges a valid watermarked Work for new host data
– Copy blocks of valid Work without understanding the content
Unauthorized Detection (terminology in Cox book)
– Decode the watermark content:
• Electronic medical files watermarked with patients’ ID
– Detect the existence of a watermark:
• Detectors are limited to few people for security/profit reasons
Unauthorized Removal
– Elimination attack: removes the watermark, no one can detect it
– Masking attack: watermark is still there, a smart detector can
detect it
System Attack
– Exploit the weakness of how the watermark is used
• Remove the watermark detector in the DVD copy machine
ENEE739M Multimedia Comm. & Info. Security(S’02)
Watermark Attack 2/26
6
General Counterattacks
Preventing Unauthorized Embedding (for MM Data
Authentication Purpose)
– Use cryptographic tools or digital signature to prevent forging
– Copy attack: let the watermark be host data dependent
Preventing Unauthorized Detection
– Decoding content: encrypt watermark before embedding
– Detecting watermark existence: currently hard to counterattack
Preventing Unauthorized Removal
– Depends on specific attacks
ENEE739M Multimedia Comm. & Info. Security(S’02)
Watermark Attack 2/26
7
Representative Attacks
Scrambling Attack
Pathological Distortions
Copy Attack
Ambiguity Attack
Sensitivity Analysis Attack and Gradient Descendent Attack
Collusion Attack
ENEE739M Multimedia Comm. & Info. Security(S’02)
Watermark Attack 2/26
8
Scrambling Attack
Scrambling Attack
– Attack automated copy control watermarks; general attack
– Watermark is still in the data, “By-Pass” the detector
– Samples of a Work are scrambled prior to presentation to a
watermark detector and de-scrambled later.
Mosaic Attack on Web Crawler [Petitcolas]
– A Work is broken into many small patches, each too small for
reliable detection.
– Demo software: 2Mosaic 0.2.2 for Microsoft Windows 95/98/NT
– Example
Counterattack against Mosaic Attack:
– Decrease the minimum required size for robust watermark
embedding
ENEE739M Multimedia Comm. & Info. Security(S’02)
Watermark Attack 2/26
9
Synchronization Attack
Watermark is still in the Work, but detector can’t detect it
– Against ownership protection, copy control; general attacks
– Most watermarking schemes are sensitive to synchronization loss
StirMark Attack [Petitcolas]
From [Petitcolas]
– Source Code StirMark1.0 and Example
Counterattack:
– Attach a registration pattern
– Do image registration before detection if original image available
– Embed watermark in the transform (e.g., RST) invariant domain
ENEE739M Multimedia Comm. & Info. Security(S’02)
Watermark Attack 2/26
10
StirMark Attack
Original
Watermarked Work
Detector Output: 94.6641
ENEE739M Multimedia Comm. & Info. Security(S’02)
After StirMark Attack
Detector Output: 1.7644
Watermark Attack 2/26
11
Linear Filtering and Noise Removal
Against additive independent (wmk and host) robust watermarks
– Watermark Estimation by [Langelaar]
3*3 Median
Filter
-
3*3 HPF
Truncate to
[-2 2]
A
W
+
+
– Host Data Estimation by [Kutter]
• ML Estimation (No Prior on Image)
– Local Mean for Gaussian Watermark
– Local Median for Laplacian watermark
• MAP Estimation ( with Prior on Image)
– Wiener Filter for Gaussian watermark, Gaussian image
– Soft-Shrinkage for Gaussian watermark, Laplacian image
– Iterative RLS solution for Gaussian watermark, generalized G. image
Counterattacks
– [Su] Фww=Фuu (бw/бu)2 is the most robust against wiener filtering
attack on additive independent watermarking schemes
ENEE739M Multimedia Comm. & Info. Security(S’02)
Watermark Attack 2/26
12
Copy Attack (Attack on Fragile WM)
Assume the attacker knows the embedding algorithm
Forge a Valid Watermark Work for New Host Data
– Counterattack: use crypto/digital signature
Copy Attack without Understanding the watermark’s content
– Find the watermark pattern→ Copy into new host data (e.g. LSB)
– VALID watermark is embedded in WRONG host image
– Counterattack: watermark is host image dependent
Collage Attack [Holliman]
– Each block is embedded independently
– Assume many valid Work available and the attacker knows the
embedded logo
– For each block to be embedded, choose one with min. MSE from a
big set of blocks which are correctly watermarked
– Counterattack: add adjacent blocks’ info. in the watermark
ENEE739M Multimedia Comm. & Info. Security(S’02)
Watermark Attack 2/26
13
Collage Attack
Legal User
watermark
Valid
Original image
Block Based Embedding
Valid Work
Detector
Attacker
Blocks embedded
with 1
…
New image
Blocks embedded
with 0
…
Block Based Embedding
Valid!!!
Detector
“Claimed” Work
ENEE739M Multimedia Comm. & Info. Security(S’02)
Best Match
Watermark Attack 2/26
14
Ambiguity (Deadlock) Attack
Can Watermark give us right info. About Ownership? [Craver]
– Assume the attacker knows the embedding algorithm
+
Alice’s Watermark W1
-
+
I0
Detector output
True Original
Bob’s Watermark
W2
+
Watermarked Work
I
Fake Original I 0
– Alice’s :< I’0-I0,W1>=<W1-W2,W1> & <I’-I0,W1>=<W1,W1>
– Bob’s :< I0-I’0,W2>=<W2-W1,W2> & <I’-I’0,W2>=<W2,W2>
– Alice’s original contains Bob’s watermark, Bob’s original
contains Alice’s watermark. Who is telling the truth?
– Embedding schemes: WM is invertible
• E –1(I’)=(I’0,W2), E(I’0,W2)=I’, D(I’,W2)=1, where E-1 is a
computationally feasible mapping (NEC: vi’=vi(1+αwi))
Suggested Counterattack
– Use non-invertible watermark embedding schemes
ENEE739M Multimedia Comm. & Info. Security(S’02)
Watermark Attack 2/26
15
Sensitivity Analysis Attack
Attacker has a black box detector who gives hard decision
– This attack is against ownership protection and copy control
Assumptions about the detection region
– The direction of a short path can be well approximated by the
normal to the surface of the detection region
– This normal is relatively constant over a large part of the
detection region
Sensitivity Analysis Attack [Kalker]
– Find a work lies on the detetion region
boundary (Work A)
– Find the direction of the normal leaving
the detetion region wr
– Scale and subtract the normal from
Attacked Work
the watermarked Work
ENEE739M Multimedia Comm. & Info. Security(S’02)
Detection
Work A
Region
r
Watermarked
Work
Watermark Attack 2/26
16
Gradient Descent Attack
Attacker has access to a detector giving soft-decision as an
oracle
Assumptions about the detection region
– Local gradient points in the direction of a short path to the
boundary.
Gradient Descent Attack [Kalker]
– Use any search strategy to determine the
local gradient of steepest descent.
– Move the Work along it by some amount
– Iterate till the attacked Work falls just
outside the detection region boundary
ENEE739M Multimedia Comm. & Info. Security(S’02)
Attacked
Work
Local
Gradient
Watermarked
Work
Detection Region
Boundary
Watermark Attack 2/26
17
Summary
Watermarks’ requirements are different for different applications; so
are attacks on different watermarks
Watermark attacks include unauthorized embedding, unauthorized
detection, unauthorized removal and system attack
Some representative attacks: Scrambling Attack; Synchronization
Attack, Linear Filtering and Noise Removal; Copy Attack; Ambiguity
Attack; Sensitivity/Gradient Attack and Collusion Attack
General counterattacks include embedding content information and
adjacent block info. in watermark; embed watermark in transforminvariant domain; use non-invertible watermark embedding etc
More to be explored
ENEE739M Multimedia Comm. & Info. Security(S’02)
Watermark Attack 2/26
18
Assignment
Take-Home Assignment
– What are the pros and cons for each of the three counterattacks
against synchronization attack?
• Attach a registration pattern
• Image registration
• Embed watermark in the transform invariant domain
ENEE739M Multimedia Comm. & Info. Security(S’02)
Watermark Attack 2/26
19
References
F. Petitcolas, R. Anderson, M. Kuhn, Attacks on Copyright Marking Systems, 2nd
Workshop on Info. Hiding, Lecture Notes in Computer Science, vol. 1525, April 1998G.
Langelaar, R. Langedijk, J. Biemond, Removing Watermarks by Nonlinear Filtering, Proc.
European Signal Processing, Rhodes, Greece, Sept. 1998
M. Kutter, S. Voloshynovskiy and A. Herrigel, The watermark Copy Attack, Security and
Watermarking of Multimedia Contents, II, SPIE-3971: 371-280, 2000
J. Su, B. Girod, Power-Spectrum Condition for Energy-Efficient Watermarking, ICIP, 1999
M. Holliman, N. Memon, Counterfeiting Attacks on Linear Watermarking Schemes, Proc.
IEEE Multimedia Systems 98, June 1998
S. Craver, N. Memon, B. Yeo and M. Yeung, On the Invertibility of Invisible Watermarking
Techniques, ICIP, 1997
W. Zeng, B. Liu, On Resolving Rightful Ownerships for Digital Images by Invisible
Watermarks, ICIP 97
T. Kalker, Watermark Estimation through Detector Observation, Proc. IEEE Benelux
Signal Processing Symposium, 1998, Leuven, Belgium, March 1998
F. Hartung, J. Su, B. Girod, Spread Spectrum Watermarking: Malicious Attacks and
Counterattacks, Proc. SPIE Security and Watermarking of Multimedia Contents, vol. 3657,
Jan. 1999
I. Cox, J. Linnartz, Some General Methods for Tampering with Watermarks, IEEE Journal
on sel. areas, in Comm., vol. 16, no. 4, May 1998
M. Wu, Multimedia Data Hiding, (chap. 9,10) PH.D Thesis, Dept. of Electrical Engineering,
Princeton Univ., April 2001
I. Cox, M. Miller, J. Bloom, Digital Watermarking, (chap. 9) Morgan Kaufmann Pub., 2001
20
ENEE739M Multimedia Comm. & Info. Security(S’02) Watermark Attack 2/26