ResGuard: Enhancing Robustness Against Known Original Attacks in Deep Watermarking

Abstract

Deep learning-based image watermarking commonly adopts an "Encoder-Noise Layer-Decoder" (END) architecture to improve robustness against random channel distortions, yet it often overlooks intentional manipulations introduced by adversaries with additional knowledge. In this paper, we revisit this paradigm and expose a critical yet underexplored vulnerability: the Known Original Attack (KOA), where an adversary has access to multiple original-watermarked image pairs, enabling various targeted suppression strategies. We show that even a simple residual-based removal approach, namely estimating an embedding residual from known pairs and subtracting it from unseen watermarked images, can almost completely remove the watermark while preserving visual quality. This vulnerability stems from the insufficient image dependency of residuals produced by END frameworks, which makes them transferable across images. To address this, we propose ResGuard, a plug-and-play module that enhances KOA robustness by enforcing image-dependent embedding. Its core lies in a residual specificity enhancement loss, which encourages residuals to be tightly coupled with their host images and thus improves image dependency. Furthermore, an auxiliary KOA noise layer injects residual-style perturbations during training, allowing the decoder to remain reliable under stronger embedding inconsistencies. Integrated into existing frameworks, ResGuard boosts KOA robustness, improving average watermark extraction accuracy from 59.87% to 99.81%.

Figures (8)

• Figure 1: Illustration of an example of the Known Original Attack (KOA) evaluated with RoSteALS bui2023rosteals, showing that even a single residual extracted from one host–watermarked pair can suppress watermark decoding across other images.
• Figure 2: Framework of the proposed ResGuard. It consists of five main components: the encoder $E$, the combined noise layer, the KOA noise layer, the residual specificity enhancement module, and the decoder $D$. The model is trained end-to-end using two basic losses: $\mathcal{L}_{img}$ enforces visual similarity between the host and watermarked images, and $\mathcal{L}_{mes}$ ensures accurate message extraction under both common distortions and KOA attacks. Additionally, $\mathcal{L}_{RSE}$ promotes image-specific residual patterns and suppresses cross-image transferability, enhancing robustness against KOA.
• Figure 3: Bitwise extraction accuracy under KOA across five baseline methods. Each curve shows performance variation with the number of available host--watermarked pairs $N$. Models equipped with ResGuard maintain consistently high accuracy, demonstrating strong robustness against KOA.
• Figure 4: (a) JPEG, $QF$=25; (b) Gaussian noise, $\mu=0, \sigma=0.05$; (c) Salt-and-pepper noise, $p=0.05$; (d) Gaussian blur, $r=4$; (e) Median filter, $k=7$.
• Figure 5: Comparison of inter-image residual similarity before and after applying ResGuard across five watermarking methods. Solid markers denote original models, while hollow markers represent ResGuard-enhanced counterparts. A lower similarity indicates more image-specific residuals.