From Attack to Protection: Leveraging Watermarking Attack Network for Advanced Add-on Watermarking

TL;DR

This work addresses the need for MW-specific robustness benchmarking that also preserves perceptual quality. It introduces WAN, a trainable watermarking attack network based on residual dense blocks that learns to invert embedded bits with minimal visual degradation, and a complementary Add-on Watermarking (AoW) mechanism to boost existing MW performance without changing their rules. Through extensive experiments on rule-based and CNN-based MW methods across gray-scale and color datasets, WAN demonstrates strong capability to degrade watermark extractability while maintaining image quality, outperforming traditional benchmarks. AoW further enables controlled improvements in imperceptibility or robustness, offering a practical pathway to strengthen MW systems in real-world deployments.

Abstract

Multi-bit watermarking (MW) has been designed to enhance resistance against watermarking attacks, such as signal processing operations and geometric distortions. Various benchmark tools exist to assess this robustness through simulated attacks on watermarked images. However, these tools often fail to capitalize on the unique attributes of the targeted MW and typically neglect the aspect of visual quality, a critical factor in practical applications. To overcome these shortcomings, we introduce a watermarking attack network (WAN), a fully trainable watermarking benchmark tool designed to exploit vulnerabilities within MW systems and induce watermark bit inversions, significantly diminishing watermark extractability. The proposed WAN employs an architecture based on residual dense blocks, which is adept at both local and global feature learning, thereby maintaining high visual quality while obstructing the extraction of embedded information. Our empirical results demonstrate that the WAN effectively undermines various block-based MW systems while minimizing visual degradation caused by attacks. This is facilitated by our novel watermarking attack loss, which is specifically crafted to compromise these systems. The WAN functions not only as a benchmarking tool but also as an add-on watermarking (AoW) mechanism, augmenting established universal watermarking schemes by enhancing robustness or imperceptibility without requiring detailed method context and adapting to dynamic watermarking requirements. Extensive experimental results show that AoW complements the performance of the targeted MW system by independently enhancing both imperceptibility and robustness.

Figures (13)

• Figure 1: How the watermarking attack network (WAN) works. In contrast to the normal case where the embedded watermark bit is extracted correctly, the proposed WAN can enable attacks that induce abnormal extraction (e.g., 0$\rightarrow$1 or 1$\rightarrow$0) while minimizing visual degradation. Here, the case where the WAN is applied after a watermark bit is embedded into the original block $B_{o}$ is depicted.
• Figure 2: Visualization examples of conventional watermarking attacks and the proposed WAN-induced attack images. In this visual, residual images illustrate the differences between the watermarked image and its versions following various attacks.
• Figure 3: A general overview of the conventional rule-based MW system, where watermark bits are inserted and extracted in a block-wise manner.
• Figure 4: A general overview of the neural network-based MW system, where watermark bits are assigned to block-wise watermark pattern images. Here, $P$ and $\hat{P}$ denote original watermark pattern and extracted watermark pattern, respectively.
• Figure 5: Comparison of fidelity between StirMark attacks causing extraction of random guessing and WAN. Here, the watermarking method employed is M2.