Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Box-Free Model Watermarks Are Prone to Black-Box Removal Attacks

Haonan An, Guang Hua, Zhiping Lin, Yuguang Fang

TL;DR

The paper addresses the vulnerability of box-free model watermarking for image-to-image tasks under black-box removal threats. It introduces extractor-gradient-guided (EGG) removers and a transferable remover to erase or overwrite embedded watermarks while preserving output quality, across three practical threat scenarios. Extensive experiments on reputed box-free methods demonstrate effective watermark removal and even overwriting, highlighting gaps in current protections and the need for removal-proof designs. The work emphasizes real-world IP protection challenges for generative image processing models and has significant implications for the design of robust watermarking schemes and ownership verification. The proposed attacks also show generalization to workflow-mismatched setups, signaling a broader risk to watermarking in AI security contexts.

Abstract

Box-free model watermarking is an emerging technique to safeguard the intellectual property of deep learning models, particularly those for low-level image processing tasks. Existing works have verified and improved its effectiveness in several aspects. However, in this paper, we reveal that box-free model watermarking is prone to removal attacks, even under the real-world threat model such that the protected model and the watermark extractor are in black boxes. Under this setting, we carry out three studies. 1) We develop an extractor-gradient-guided (EGG) remover and show its effectiveness when the extractor uses ReLU activation only. 2) More generally, for an unknown extractor, we leverage adversarial attacks and design the EGG remover based on the estimated gradients. 3) Under the most stringent condition that the extractor is inaccessible, we design a transferable remover based on a set of private proxy models. In all cases, the proposed removers can successfully remove embedded watermarks while preserving the quality of the processed images, and we also demonstrate that the EGG remover can even replace the watermarks. Extensive experimental results verify the effectiveness and generalizability of the proposed attacks, revealing the vulnerabilities of the existing box-free methods and calling for further research.

Box-Free Model Watermarks Are Prone to Black-Box Removal Attacks

TL;DR

The paper addresses the vulnerability of box-free model watermarking for image-to-image tasks under black-box removal threats. It introduces extractor-gradient-guided (EGG) removers and a transferable remover to erase or overwrite embedded watermarks while preserving output quality, across three practical threat scenarios. Extensive experiments on reputed box-free methods demonstrate effective watermark removal and even overwriting, highlighting gaps in current protections and the need for removal-proof designs. The work emphasizes real-world IP protection challenges for generative image processing models and has significant implications for the design of robust watermarking schemes and ownership verification. The proposed attacks also show generalization to workflow-mismatched setups, signaling a broader risk to watermarking in AI security contexts.

Abstract

Box-free model watermarking is an emerging technique to safeguard the intellectual property of deep learning models, particularly those for low-level image processing tasks. Existing works have verified and improved its effectiveness in several aspects. However, in this paper, we reveal that box-free model watermarking is prone to removal attacks, even under the real-world threat model such that the protected model and the watermark extractor are in black boxes. Under this setting, we carry out three studies. 1) We develop an extractor-gradient-guided (EGG) remover and show its effectiveness when the extractor uses ReLU activation only. 2) More generally, for an unknown extractor, we leverage adversarial attacks and design the EGG remover based on the estimated gradients. 3) Under the most stringent condition that the extractor is inaccessible, we design a transferable remover based on a set of private proxy models. In all cases, the proposed removers can successfully remove embedded watermarks while preserving the quality of the processed images, and we also demonstrate that the EGG remover can even replace the watermarks. Extensive experimental results verify the effectiveness and generalizability of the proposed attacks, revealing the vulnerabilities of the existing box-free methods and calling for further research.
Paper Structure (32 sections, 16 equations, 11 figures, 8 tables)

This paper contains 32 sections, 16 equations, 11 figures, 8 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. White-Box Watermarking
  4. Black-Box Watermarking
  5. Box-Free Watermarking
  6. Watermark Removal
  7. Problem Formulation
  8. Image-to-Image Model Box-Free Watermarking
  9. Threat Model
  10. Proposed Attacks
  11. Scenarios 1 and 2: EGG Removers
  12. Scenario 1: ENet Has ReLU Activation Only
  13. Scenario 2: ENet is Unknown
  14. Scenario 3: Transferable Remover
  15. Experimental Results
  16. ...and 17 more sections

Figures (11)

  • Figure 1: Flowchart of box-free watermarking for image-to-image models, where image denoising is used as an example.
  • Figure 2: Flowchart of the victim model and the proposed attack, where ONet and ENet are secured in black-box, with only their API available to attacker. Images processed by RNet will be watermark-free, corresponding to all-white outputs from ENet.
  • Figure 3: Flowchart of the training process for the proposed (a) EGG RNet and (b) Transferable RNet. Note that the proxy models are private and are frozen during the training of the Transferable RNet.
  • Figure 4: Block diagram of a simplified ENet.
  • Figure 5: Qualitative demonstration of the proposed EGG watermark remover RNet against victim models (a) V1 wu2020watermarking and (b) V2 zhang2021deep.
  • ...and 6 more figures