基于可恢复对抗水印的主动防御方法

doi:10.3969/j.issn.0255-8297.2025.06.004

应用科学学报 ›› 2025, Vol. 43 ›› Issue (6): 935-947.doi: 10.3969/j.issn.0255-8297.2025.06.004

• 信号与信息处理 • 上一篇

基于可恢复对抗水印的主动防御方法

王金伟^1,2,3, 黄琬云¹, 张家伟¹, 罗向阳³, 马宾⁴

1. 南京信息工程大学计算机学院, 江苏南京 210044;
2. 南京信息工程大学江苏省大气环境与装备技术协同创新中心, 江苏南京 210044;
3. 信息工程大学数学工程与高级计算国家重点实验室, 河南郑州 450001;
4. 齐鲁工业大学山东省计算机网络重点实验室, 山东济南 250353

收稿日期:2024-01-08 发布日期:2025-12-19
通信作者: 王金伟,教授,研究方向为信息安全。E-mail:wjwei_2004@163.com E-mail:wjwei_2004@163.com
基金资助:
国家自然科学基金（No. 62072250, No. 61772281, No. 61702235, No. U163617, No. U1804263, No. 62172435, No. 61872203, No. 61802212）；中国中原科技创新领军人才项目（No. 214200510019）；河南省科技人才计划（No. 2018JR0018）；广东省信息安全技术重点实验室开放项目（No. 2020B1212060078）以及江苏省高等教育机构（PAPD）优先学术项目发展基金。

Active Defense Method Based on Recoverable Adversarial Watermarks

WANG Jinwei^1,2,3, HUANG Wanyun¹, ZHANG Jiawei¹, LUO Xiangyang³, MA Bin⁴

1. School of Computer Science, Nanjing University of Information Science and Technology, Nanjing 210044, Jiangsu, China;
2. Jiangsu Collaborative Innovation Center of Atmospheric Environment and Equipment Technology, Nanjing University of Information Science and Technology, Nanjing 210044, Jiangsu, China;
3. State Key Laboratory of Mathematical Engineering and Advanced Computing, Information Engineering University, Zhengzhou 450001, Henan, China;
4. Shandong Provincial Key Laboratory of Computer Networks, Qilu University of Technology, Jinan 250353, Shandong, China

Received:2024-01-08 Published:2025-12-19

摘要/Abstract

摘要： 可见水印作为版权保护的重要工具被广泛应用。然而，由于可见水印服从既定的嵌入规则，很难抵抗神经网络的破坏，这给现有版权保护方法带来了巨大的威胁和挑战。为解决这一问题，本文提出了一种基于可恢复对抗水印的主动防御方法，通过引入对抗噪声提高可见水印的抗去除能力，从而形成一种新的更有效的版权保护手段。此外，为解决水印嵌入后可能会遮盖宿主图像重要区域的问题，本文提出了一种可恢复的对抗性可见水印方案。该方案通过将宿主图像重要区域作为秘密信息嵌入到非水印区域，来帮助授权用户恢复宿主图像，从而提升对抗性可见水印的可恢复性。实验证明，该方法可以在攻击水印去除网络的同时保证良好的可恢复性。

关键词: 对抗样本, 可见水印, 水印去除网络, 抗去除

Abstract: Visible watermarks are widely adopted as an important tool for copyright protection. However, as visible watermarks follow fixed embedding rules, they are hardly resistant to destruction by neural networks, which poses significant threats and challenges to existing copyright protection methods. To solve this problem, this paper proposed an active defense method based on recoverable adversarial watermarks, which improved the anti-removal ability of visible watermarks by introducing adversarial noise, thereby forming a new and more effective copyright protection method. In addition, to address the problem that watermarks may cover important areas of the host image after embedding, a recoverable adversarial visible watermark scheme was proposed. This scheme assisted authorized users in recovering the host image by embedding the important regions of the host image as secret information into non-watermark regions, thereby improving the recoverability of adversarial visible watermarks. Experimental results demonstrate that this method can effectively attack watermark removal networks while maintaining favorable recoverability.

Key words: adversarial sample, visible watermark, watermark removal network, antiremoval

中图分类号:

TP391

王金伟, 黄琬云, 张家伟, 罗向阳, 马宾. 基于可恢复对抗水印的主动防御方法[J]. 应用科学学报, 2025, 43(6): 935-947.

WANG Jinwei, HUANG Wanyun, ZHANG Jiawei, LUO Xiangyang, MA Bin. Active Defense Method Based on Recoverable Adversarial Watermarks[J]. Journal of Applied Sciences, 2025, 43(6): 935-947.

参考文献

[1] Liu Y, Zhu Z, Bai X. WDNet: watermark-decomposition network for visible watermark removal [C]//IEEE Winter Conference on Applications of Computer Vision, 2021: 3684-3692.
[2] Cun X D, Pun C M. Split then refine: stacked attention-guided ResUNets for blind single image visible watermark removal [J]. AAAI Conference on Artificial Intelligence, 2021, 35(2): 1184-1192.
[3] Hertz A, Fogel S, Hanocka R, et al. Blind visual motif removal from a single image [C]//IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2019: 6851-6860.
[4] Sun R Z, Su Y K, Wu Q Y. DENet: disentangled embedding network for visible watermark removal [C]//AAAI Conference on Artificial Intelligence, 2023, 37(2): 2411-2419.
[5] Szegedy C, Zaremba W, Sutskever I, et al. Intriguing properties of neural networks [DB/OL]. (2013-11-21) [2024-01-08]. https://arxiv.org/abs/1312.6199.
[6] Goodfellow I J, Shlens J, Szegedy C. Explaining and harnessing adversarial examples[DB/OL]. (2014-11-20) [2024-01-08]. https://arxiv.org/abs/1412.6572.
[7] Carlini N, Wagner D. Towards evaluating the robustness of neural networks [C]//2017 IEEE Symposium on Security and Privacy (SP), 2017: 39-57.
[8] Yin Z, Wang H, Chen L, et al. Reversible adversarial attack based on reversible image transformation [DB/OL]. (2021-05-25) [2024-01-08]. https://arxiv.org/pdf/1911.02360.
[9] Chen L, Zhu S W, Andrew A, et al. Reversible attack based on local visible adversarial perturbation [J]. Multimedia Tools and Applications, 2024, 83(4): 11215-11227.
[10] Chattopadhay A, Sarkar A, Howlader P, et al. Grad-CAM++: generalized gradientbased visual explanations for deep convolutional networks [C]//IEEE Winter Conference on Applications of Computer Vision, 2018: 839-847.
[11] He K M, Zhang X Y, Ren S Q, et al. Deep residual learning for image recognition [C]//IEEE Conference on Computer Vision and Pattern Recognition, 2016: 770-778.
[12] Woo S, Park J, Lee J Y, et al. CBAM: convolutional block attention module [C]//Computer Vision-ECCV 2018, 2018: 3-19.
[13] Deng J, Dong W, Socher R, et al. ImageNet: a large-scale hierarchical image database [C]//IEEE Conference on Computer Vision and Pattern Recognition, 2009: 248-255.
[14] Madry A, Makelov A, Schmidt L, et al. Towards deep learning models resistant to adversarial attacks [DB/OL]. (2017-06-19) [2024-01-08]. https://arxiv.org/abs/1706.06083.
[15] Xiao C, Li B, Zhu J Y, et al. Generating adversarial examples with adversarial networks [DB/OL]. (2018-01-08) [2024-01-08]. https://arxiv.org/abs/1801.02610.
[16] Zhang J W, Wang J W, Wang H, et al. Self-recoverable adversarial examples: a new effective protection mechanism in social networks [J]. IEEE Transactions on Circuits and Systems for Video Technology, 2023, 33(2): 562-574.
[17] Jing J P, Deng X, Xu M, et al. HiNet: deep image hiding by invertible network [C]//IEEE/CVF International Conference on Computer Vision, 2021: 4713-4722.
[18] Almohammad A, Ghinea G. Stego image quality and the reliability of PSNR [C]//2nd International Conference on Image Processing Theory, Tools and Applications, 2010: 215-220.
[19] Wang Z, Bovik A C, Sheikh H R, et al. Image quality assessment: from error visibility to structural similarity [J]. IEEE Transactions on Image Processing, 2004, 13(4): 600-612.

基于可恢复对抗水印的主动防御方法

Active Defense Method Based on Recoverable Adversarial Watermarks

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 2

编辑推荐

Metrics

本文评价

[1]	张梦君, 熊邦书. SAR-ATR系统复数对抗样本生成方法[J]. 应用科学学报, 2024, 42(5): 747-756.
[2]	安新辰, 倪蓉蓉, 赵耀. 基于网格细分和边界自适应的三维模型可见水印[J]. 应用科学学报, 2016, 34(5): 503-514.