Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

MarkSweep: A No-box Removal Attack on AI-Generated Image Watermarking via Noise Intensification and Frequency-aware Denoising

Jie Cao, Zelin Zhang, Qi Li, Jianbing Ni

TL;DR

MarkSweep tackles the problem of removing invisible watermarks from AI-generated images without access to watermark extractors or model internals. It combines noise intensification in high-frequency regions with a frequency-aware denoising network that uses a learnable frequency decomposition module and a frequency-aware fusion module, followed by SR enhancement, and provides an information-theoretic guarantee that watermark information is eroded. Empirically, it reduces watermark bit accuracy below detection thresholds across multiple schemes while preserving perceptual quality, and does so with significantly faster runtime than prior attacks. This work highlights a vulnerability in current in-generation watermarking approaches and motivates the development of more robust, frequency-aware watermark defenses for AI-generated imagery.

Abstract

AI watermarking embeds invisible signals within images to provide provenance information and identify content as AI-generated. In this paper, we introduce MarkSweep, a novel watermark removal attack that effectively erases the embedded watermarks from AI-generated images without degrading visual quality. MarkSweep first amplifies watermark noise in high-frequency regions via edge-aware Gaussian perturbations and injects it into clean images for training a denoising network. This network then integrates two modules, the learnable frequency decomposition module and the frequency-aware fusion module, to suppress amplified noise and eliminate watermark traces. Theoretical analysis and extensive experiments demonstrate that invisible watermarks are highly vulnerable to MarkSweep, which effectively removes embedded watermarks, reducing the bit accuracy of HiDDeN and Stable Signature watermarking schemes to below 67%, while preserving perceptual quality of AI-generated images.

MarkSweep: A No-box Removal Attack on AI-Generated Image Watermarking via Noise Intensification and Frequency-aware Denoising

TL;DR

MarkSweep tackles the problem of removing invisible watermarks from AI-generated images without access to watermark extractors or model internals. It combines noise intensification in high-frequency regions with a frequency-aware denoising network that uses a learnable frequency decomposition module and a frequency-aware fusion module, followed by SR enhancement, and provides an information-theoretic guarantee that watermark information is eroded. Empirically, it reduces watermark bit accuracy below detection thresholds across multiple schemes while preserving perceptual quality, and does so with significantly faster runtime than prior attacks. This work highlights a vulnerability in current in-generation watermarking approaches and motivates the development of more robust, frequency-aware watermark defenses for AI-generated imagery.

Abstract

AI watermarking embeds invisible signals within images to provide provenance information and identify content as AI-generated. In this paper, we introduce MarkSweep, a novel watermark removal attack that effectively erases the embedded watermarks from AI-generated images without degrading visual quality. MarkSweep first amplifies watermark noise in high-frequency regions via edge-aware Gaussian perturbations and injects it into clean images for training a denoising network. This network then integrates two modules, the learnable frequency decomposition module and the frequency-aware fusion module, to suppress amplified noise and eliminate watermark traces. Theoretical analysis and extensive experiments demonstrate that invisible watermarks are highly vulnerable to MarkSweep, which effectively removes embedded watermarks, reducing the bit accuracy of HiDDeN and Stable Signature watermarking schemes to below 67%, while preserving perceptual quality of AI-generated images.
Paper Structure (13 sections, 2 theorems, 16 equations, 4 figures, 2 tables)

This paper contains 13 sections, 2 theorems, 16 equations, 4 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Problem Formulation
  4. Threat Model
  5. METHODOLOGY
  6. Overview
  7. Intensification of Watermark Noise
  8. Denoising Network
  9. Theoretical Analysis
  10. Experiment
  11. Experimental Setup
  12. Attack Performance
  13. Conclusion

Key Result

Theorem 4.1

Let $x$ denote a clean image and $w$ be a binary watermark. For the Markov chain with noise intensification $n=\mathcal{A}(x_w,\mu,\sigma,s)$ and denoising network $\mathcal{M}_\theta$, the mutual information satisfies:

Figures (4)

  • Figure 1: Overview. Alice embeds watermarks in AI-generated images for attribution, but attackers can remove them, enabling the unauthorized dissemination of AI-generated content.
  • Figure 2: An illustration of MarkSweep pipeline.
  • Figure 3: Outputs of the SOTA removal attacks against HiDDeN watermarking method.
  • Figure 4: Comparison of AS across SOTA attacks.

Theorems & Definitions (2)

  • Theorem 4.1: Information-Theoretic Guarantee of Watermark Removal
  • Theorem 4.2: Attack Effectiveness