More Web Proxy on the site http://driver.im/

research-article

Adv-watermark: A Novel Watermark Perturbation for Adversarial Examples

Authors:

Xiaoguang HanAuthors Info & Claims

MM '20: Proceedings of the 28th ACM International Conference on Multimedia

Pages 1579 - 1587

https://doi.org/10.1145/3394171.3413976

Published: 12 October 2020 Publication History

Abstract

Recent research has demonstrated that adding some imperceptible perturbations to original images can fool deep learning models. However, the current adversarial perturbations are usually shown in the form of noises, and thus have no practical meaning. Image watermark is a technique widely used for copyright protection. We can regard image watermark as a king of meaningful noises and adding it to the original image will not affect people's understanding of the image content, and will not arouse people's suspicion. Therefore, it will be interesting to generate adversarial examples using watermarks. In this paper, we propose a novel watermark perturbation for adversarial examples (Adv-watermark) which combines image watermarking techniques and adversarial example algorithms. Adding a meaningful watermark to the clean images can attack the DNN models. Specifically, we propose a novel optimization algorithm, which is called Basin Hopping Evolution (BHE), to generate adversarial watermarks in the black-box attack mode. Thanks to the BHE, Adv-watermark only requires a few queries from the threat models to finish the attacks. A series of experiments conducted on ImageNet and CASIA-WebFace datasets show that the proposed method can efficiently generate adversarial examples, and outperforms the state-of-the-art attack methods. Moreover, Adv-watermark is more robust against image transformation defense methods.

Supplementary Material

MP4 File (3394171.3413976.mp4)

ACM Publications Presenatation Videos

Download
52.51 MB

References

[1]

Wieland Brendel, Jonas Rauber, and Matthias Bethge. 2017. Decision-Based Adversarial Attacks: Reliable Attacks Against Black-Box Machine Learning Models. arXiv:1712.04248 [stat.ML]

[2]

Nicholas Carlini and David Wagner. 2017. Towards evaluating the robustness of neural networks. In 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 39--57.

[3]

Nilaksh Das, Madhuri Shanbhogue, Shang-Tse Chen, Fred Hohman, Li Chen, Michael E Kounavis, and Duen Horng Chau. 2017. Keeping the bad guys out: Protecting and vaccinating deep learning with jpeg compression. arXiv preprint arXiv:1705.02900 (2017).

[4]

Logan Engstrom, Brandon Tran, Dimitris Tsipras, Ludwig Schmidt, and Aleksander Madry. 2019. Exploring the Landscape of Spatial Robustness. In International Conference on Machine Learning. 1802--1811.

[5]

Ian Goodfellow, Jean Pouget-Abadie, Mehdi Mirza, Bing Xu, DavidWarde-Farley, Sherjil Ozair, Aaron Courville, and Yoshua Bengio. 2014. Generative adversarial nets. In Advances in neural information processing systems. 2672--2680.

[6]

Ian J Goodfellow, Jonathon Shlens, and Christian Szegedy. 2014. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 (2014).

[7]

Frank Hartung and Martin Kutter. 1999. Multimedia watermarking techniques. Proc. IEEE 87, 7 (1999), 1079--1107.

[8]

Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition. 770--778.

[9]

Yongjian Hu, Sam Kwong, and Jiwu Huang. 2005. An algorithm for removable visible watermarking. IEEE Transactions on Circuits and Systems for Video Technology 16, 1 (2005), 129--133.

[10]

Biao-Bing Huang and Shao-Xian Tang. 2006. A contrast-sensitive visible watermarking scheme. IEEE MultiMedia 13, 2 (2006), 60--66.

Digital Library

[11]

Forrest N Iandola, Song Han, Matthew W Moskewicz, Khalid Ashraf, William J Dally, and Kurt Keutzer. 2016. SqueezeNet: AlexNet-level accuracy with 50x fewer parameters and¡ 0.5 MB model size. arXiv preprint arXiv:1602.07360 (2016).

[12]

Xiaojun Jia, Xingxing Wei, Xiaochun Cao, and Hassan Foroosh. 2019. ComDefend: An Efficient Image Compression Model to Defend Adversarial Examples. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 6084--6092.

[13]

Mohan S Kankanhalli, KR Ramakrishnan, et al. 1999. Adaptive visible watermarking of images. In Proceedings IEEE International Conference on Multimedia Computing and Systems, Vol. 1. IEEE, 568--573.

Digital Library

[14]

Alex Krizhevsky, Ilya Sutskever, and Geoffrey E Hinton. 2012. Imagenet classification with deep convolutional neural networks. In Advances in neural information processing systems. 1097--1105.

[15]

Alexey Kurakin, Ian Goodfellow, and Samy Bengio. 2016. Adversarial examples in the physical world. arXiv preprint arXiv:1607.02533 (2016).

[16]

Ares Lagae, Sylvain Lefebvre, Rob Cook, Tony DeRose, George Drettakis, David S Ebert, John P Lewis, Ken Perlin, and Matthias Zwicker. 2010. A survey of procedural noise functions. In Computer Graphics Forum, Vol. 29. Wiley Online Library, 2579--2600.

[17]

Siyuan Liang, Xingxing Wei, Siyuan Yao, and Xiaochun Cao. 2020. Efficient Adversarial Attacks for Visual Object Tracking. arXiv preprint arXiv:2008.00217 (2020).

[18]

Fangzhou Liao, Ming Liang, Yinpeng Dong, Tianyu Pang, Xiaolin Hu, and Jun Zhu. 2018. Defense against adversarial attacks using high-level representation guided denoiser. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 1778--1787.

[19]

Tsung-Yuan Liu and Wen-Hsiang Tsai. 2010. Generic lossless visible watermarkinga new approach. IEEE transactions on image processing 19, 5 (2010), 1224--1235.

[20]

Aleksander Madry, Aleksandar Makelov, Ludwig Schmidt, Dimitris Tsipras, and Adrian Vladu. 2018. Towards Deep Learning Models Resistant to Adversarial Attacks. In ICLR (Poster). OpenReview.net.

[21]

Fred Mintzer, Gordon W Braudaway, and Minerva M Yeung. 1997. Effective and ineffective digital watermarks. In Proceedings of International Conference on Image Processing, Vol. 3. IEEE, 9--12.

[22]

Frederick C Mintzer, Leonard E Boyle, Albert N Cazes, Brian S Christian, Steven C Cox, Francis P Giordano, Henry M Gladney, Jack C Lee, Milton L Kelmanson, Antonio C Lirani, et al. 1996. Toward on-line, worldwide access to Vatican Library materials. IBM Journal of research and development 40, 2 (1996), 139--162.

[23]

Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, Omar Fawzi, and Pascal Frossard. 2017. Universal adversarial perturbations. In Proceedings of the IEEE conference on computer vision and pattern recognition. 1765--1773.

[24]

Seyed-Mohsen Moosavi-Dezfooli, Alhussein Fawzi, and Pascal Frossard. 2016. Deepfool: a simple and accurate method to fool deep neural networks. In Proceedings of the IEEE conference on computer vision and pattern recognition. 2574--2582.

[25]

Nicolas Papernot, Patrick McDaniel, Somesh Jha, Matt Fredrikson, Z Berkay Celik, and Ananthram Swami. 2016. The limitations of deep learning in adversarial settings. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 372--387.

[26]

Nicolas Papernot, Patrick McDaniel, Xi Wu, Somesh Jha, and Ananthram Swami. 2016. Distillation as a defense to adversarial perturbations against deep neural networks. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 582--597.

[27]

Haonan Qiu, Chaowei Xiao, Lei Yang, Xinchen Yan, Honglak Lee, and Bo Li. 2019. SemanticAdv: Generating Adversarial Examples via Attribute-conditional Image Editing. arXiv preprint arXiv:1906.07927 (2019).

[28]

Jonas Rauber, Wieland Brendel, and Matthias Bethge. 2017. Foolbox: A Python toolbox to benchmark the robustness of machine learning models. In Reliable Machine Learning in the Wild Workshop, 34th International Conference on Machine Learning. http://arxiv.org/abs/1707.04131

[29]

Olga Russakovsky, Jia Deng, Hao Su, Jonathan Krause, Sanjeev Satheesh, Sean Ma, Zhiheng Huang, Andrej Karpathy, Aditya Khosla, Michael Bernstein, et al. 2015. Imagenet large scale visual recognition challenge. International journal of computer vision 115, 3 (2015), 211--252.

[30]

Lukas Schott, Jonas Rauber, Matthias Bethge, and Wieland Brendel. 2018. Towards the first adversarially robust neural network model on MNIST. arXiv: 1805.09190 [cs.CV]

[31]

Ramprasaath R. Selvaraju, Michael Cogswell, Abhishek Das, Ramakrishna Vedantam, Devi Parikh, and Dhruv Batra. 2017. Grad-CAM: Visual Explanations From Deep Networks via Gradient-Based Localization. In The IEEE International Conference on Computer Vision (ICCV).

[32]

Bo Shen, Ishwar K Sethi, and Vasudev Bhaskaran. 1998. DCT domain alpha blending. In Proceedings 1998 International Conference on Image Processing. ICIP98 (Cat. No. 98CB36269), Vol. 1. IEEE, 857--861.

[33]

Karen Simonyan and Andrew Zisserman. 2014. Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556 (2014).

[34]

Jiawei Su, Danilo Vasconcellos Vargas, and Kouichi Sakurai. 2019. One pixel attack for fooling deep neural networks. IEEE Transactions on Evolutionary Computation (2019).

[35]

Christian Szegedy, Wei Liu, Yangqing Jia, Pierre Sermanet, Scott E. Reed, Dragomir Anguelov, Dumitru Erhan, Vincent Vanhoucke, and Andrew Rabinovich. 2015. Going deeper with convolutions. In CVPR. IEEE Computer Society, 1--9.

[36]

Christian Szegedy, Vincent Vanhoucke, Sergey Ioffe, Jon Shlens, and Zbigniew Wojna. 2016. Rethinking the inception architecture for computer vision. In Proceedings of the IEEE conference on computer vision and pattern recognition. 2818--2826.

[37]

David J Wales and Jonathan P K Doye. 1997. Global Optimization by Basin-Hopping and the Lowest Energy Structures of Lennard-Jones Clusters Containing up to 110 Atoms. Journal of Physical Chemistry A 101, 28 (1997), 5111--5116.

[38]

Dong Yi, Zhen Lei, Shengcai Liao, and Stan Z Li. 2014. Learning face representation from scratch. arXiv preprint arXiv:1411.7923 (2014).

[39]

Kaipeng Zhang, Zhanpeng Zhang, Zhifeng Li, and Yu Qiao. 2016. Joint Face Detection and Alignment Using Multitask Cascaded Convolutional Networks. IEEE Signal Process. Lett. 23, 10 (2016), 1499--1503.

Cited By

Hu RRui TOuyang YWang JJiang QDu Y(2025)Light Attack: A Physical World Real-Time Attack Against Object ClassifiersIEEE Access10.1109/ACCESS.2022.318119713(36601-36610)Online publication date: 2025
https://doi.org/10.1109/ACCESS.2022.3181197
Li MWang S(2025)Multifunctional adversarial examplesSignal Processing10.1016/j.sigpro.2024.109816230:COnline publication date: 1-May-2025
https://dl.acm.org/doi/10.1016/j.sigpro.2024.109816
Zhang XSun CHan HSun H(2025)Object-fabrication targeted attack for object detectionNeurocomputing10.1016/j.neucom.2025.129561627(129561)Online publication date: Apr-2025
https://doi.org/10.1016/j.neucom.2025.129561
Show More Cited By

Index Terms

Adv-watermark: A Novel Watermark Perturbation for Adversarial Examples
1. Computing methodologies
  1. Artificial intelligence
    1. Computer vision
      1. Computer vision problems

Recommendations

Adversarial Attack for Robust Watermark Protection Against Inpainting-based and Blind Watermark Removers
MM '23: Proceedings of the 31st ACM International Conference on Multimedia

The rise of social media platforms, especially those focusing on image sharing, has made visible watermarks increasingly important in protecting image copyrights. However, multiple studies have revealed that watermarks are vulnerable to both inpainting-...
ISWP: Novel high-fidelity adversarial examples generated by incorporating invisible and secure watermark perturbations
Abstract
Invisible watermarking is widely used for tracking and holding accountable unauthorized usage of copyrighted content, but it does not prevent attackers from obtaining illegal access to digital assets. Consequently, user privacy and security are ...
Adversarial watermark: A robust and reliable watermark against removal
Abstract
Digital image watermarking used to be an important tool for copyright protection. However, as neural network-based watermark removal methods have been proposed in recent years, the embedded watermark is increasingly easy to be erased, which poses ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

MM '20: Proceedings of the 28th ACM International Conference on Multimedia

October 2020

4889 pages

ISBN:9781450379885

DOI:10.1145/3394171

General Chairs:
Chang Wen Chen
Chinese University of Hong Kong, Shenzhen, China
,
Rita Cucchiara
UNIMORE, Italy
,
Xian-Sheng Hua
Alibaba Group, China
,
Program Chairs:
Guo-Jun Qi
Futurewei Technologies, USA
,
Elisa Ricci
UNITN & Fondazione Bruno Kessler, Italy
,
Zhengyou Zhang
Tencent, China
,
Roger Zimmermann
National University of Singapore, Singapore

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGMM: ACM Special Interest Group on Multimedia

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

MM '20

Sponsor:

SIGMM

MM '20: The 28th ACM International Conference on Multimedia

October 12 - 16, 2020

WA, Seattle, USA

Acceptance Rates

Overall Acceptance Rate 2,145 of 8,556 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

54
Total Citations
View Citations
631
Total Downloads

Downloads (Last 12 months)126
Downloads (Last 6 weeks)5

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Hu RRui TOuyang YWang JJiang QDu Y(2025)Light Attack: A Physical World Real-Time Attack Against Object ClassifiersIEEE Access10.1109/ACCESS.2022.318119713(36601-36610)Online publication date: 2025
https://doi.org/10.1109/ACCESS.2022.3181197
Li MWang S(2025)Multifunctional adversarial examplesSignal Processing10.1016/j.sigpro.2024.109816230:COnline publication date: 1-May-2025
https://dl.acm.org/doi/10.1016/j.sigpro.2024.109816
Zhang XSun CHan HSun H(2025)Object-fabrication targeted attack for object detectionNeurocomputing10.1016/j.neucom.2025.129561627(129561)Online publication date: Apr-2025
https://doi.org/10.1016/j.neucom.2025.129561
Liu JSakuma J(2024)A Deep Dive into Reversible Adversarial ExamplesSteganography - The Art of Hiding Information [Working Title]10.5772/intechopen.1005120Online publication date: 22-May-2024
https://doi.org/10.5772/intechopen.1005120
Cheng ZLiu ZGuo TFeng SLiu DTang MZhang XSalakhutdinov RKolter ZHeller KWeller AOliver NScarlett JBerkenkamp F(2024)BadPartProceedings of the 41st International Conference on Machine Learning10.5555/3692070.3692389(8104-8122)Online publication date: 21-Jul-2024
https://dl.acm.org/doi/10.5555/3692070.3692389
Wu SLiu JHuang YGuan HZhang S(2024)An Audio Watermarking Algorithm Based on Adversarial PerturbationApplied Sciences10.3390/app1416689714:16(6897)Online publication date: 6-Aug-2024
https://doi.org/10.3390/app14166897
Yixuan YXia DSi CShunzhi ZYan Y(2024)Sparse adversarial patch attack based on QR code maskJournal of Image and Graphics10.11834/jig.23045329:7(1889-1901)Online publication date: 2024
https://doi.org/10.11834/jig.230453
Zheng XXia SYu ZWang X(2024)FAIC-Attack: An Adversarial Watermarking Attack against Face Age based on Identity ConstraintProceedings of the 2024 7th International Conference on Machine Vision and Applications10.1145/3653946.3653962(106-110)Online publication date: 12-Mar-2024
https://dl.acm.org/doi/10.1145/3653946.3653962
Wang JWang HZhang JWu HLuo XMa B(2024)Invisible Adversarial Watermarking: A Novel Security Mechanism for Enhancing Copyright ProtectionACM Transactions on Multimedia Computing, Communications, and Applications10.1145/365260821:2(1-22)Online publication date: 14-Mar-2024
https://dl.acm.org/doi/10.1145/3652608
Zhu JZhao HYu HLiu JLi XHandl J(2024)Pixel Logo Attack: Embedding Attacks as Logo-Like PixelsProceedings of the Genetic and Evolutionary Computation Conference10.1145/3638529.3654231(449-457)Online publication date: 14-Jul-2024
https://dl.acm.org/doi/10.1145/3638529.3654231
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten