Fraternal Twins: Unifying Attacks on Machine Learning and Digital Watermarking

Machine learning is increasingly used in security-critical applications, such as autonomous driving, face recognition and malware detection. Most learning methods, however, have not been designed with security in mind and thus are vulnerable to different types of attacks. This problem has motivated the research field of adversarial machine learning that is concerned with attacking and defending learning methods. Concurrently, a different line of research has tackled a very similar problem: In digital watermarking information are embedded in a signal in the presence of an adversary. As a consequence, this research field has also extensively studied techniques for attacking and defending watermarking methods. The two research communities have worked in parallel so far, unnoticeably developing similar attack and defense strategies. This paper is a first effort to bring these communities together. To this end, we present a unified notation of black-box attacks against machine learning and watermarking that reveals the similarity of both settings. To demonstrate the efficacy of this unified view, we apply concepts from watermarking to machine learning and vice versa. We show that countermeasures from watermarking can mitigate recent model-extraction attacks and, similarly, that techniques for hardening machine learning can fend off oracle attacks against watermarks. Our work provides a conceptual link between two research fields and thereby opens novel directions for improving the security of both, machine learning and digital watermarking

doi:10.1155/2007/64521 Research Article A Workbench for the BOWS Contest

The first break our watermarking system (BOWS) contest challenged researchers to remove the watermark from three given images. Participants could submit altered versions of the images to an online detector. For a successful attack, the watermark had to be unreadable to this detector with a quality above 30 dB peak signal-to-noise ratio. We implemented our experiments in R, a language for statistical computing. This paper presents the BOWS package, an extension for R, along with examples for using this experimental environment. The BOWS package provides an offline detector for several platforms. Furthermore, the particular watermarking algorithm used in the contest is analysed. We show how to find single coefficient attacks and derive high-quality images (62.6 dB PSNR) with full knowledge of the key. Copyright © 2007 Andreas Westfeld. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. 1