43 research outputs found
Secure and Robust Image Watermarking Scheme Using Homomorphic Transform, SVD and Arnold Transform in RDWT Domain
The main objective for a watermarking technique is to attain imperceptibility, robustness and security against various malicious attacks applied by illicit users. To fulfil these basic requirements for a scheme is a big issue of concern. So, in this paper, a new image watermarking method is proposed which utilizes properties of homomorphic transform, Redundant Discrete Wavelet Transform (RDWT), Arnold Transform (AT) along with Singular Value Decomposition (SVD) to attain these required properties. RDWT is performed on host image to achieve LL subband. This LL subband image is further decomposed into illumination and reflectance components by homomorphic transform. In order to strengthen security of proposed scheme, AT is used to scramble watermark. This scrambled watermark is embedded with Singular Values (SVs) of reflectance component which are obtained by applying SVD to it. Since reflectance component contains important features of image, therefore, embedding of watermark in this part provides excellent imperceptibility. Proposed scheme is comprehensively examined against different attacks like scaling, shearing etc. for its robustness. Comparative study with other prevailing algorithms clearly reveals superiority of proposed scheme in terms of robustness and imperceptibility
Identifying Appropriate Intellectual Property Protection Mechanisms for Machine Learning Models: A Systematization of Watermarking, Fingerprinting, Model Access, and Attacks
The commercial use of Machine Learning (ML) is spreading; at the same time,
ML models are becoming more complex and more expensive to train, which makes
Intellectual Property Protection (IPP) of trained models a pressing issue.
Unlike other domains that can build on a solid understanding of the threats,
attacks and defenses available to protect their IP, the ML-related research in
this regard is still very fragmented. This is also due to a missing unified
view as well as a common taxonomy of these aspects.
In this paper, we systematize our findings on IPP in ML, while focusing on
threats and attacks identified and defenses proposed at the time of writing. We
develop a comprehensive threat model for IP in ML, categorizing attacks and
defenses within a unified and consolidated taxonomy, thus bridging research
from both the ML and security communities
Applications de la représentation parcimonieuse perceptuelle par graphe de décharges (Spikegramme) pour la protection du droit d’auteur des signaux sonores
Chaque année, le piratage mondial de la musique coûte plusieurs milliards de dollars en
pertes économiques, pertes d’emplois et pertes de gains des travailleurs ainsi que la perte
de millions de dollars en recettes fiscales. La plupart du piratage de la musique est dû
à la croissance rapide et à la facilité des technologies actuelles pour la copie, le partage,
la manipulation et la distribution de données musicales [Domingo, 2015], [Siwek, 2007].
Le tatouage des signaux sonores a été proposé pour protéger les droit des auteurs et
pour permettre la localisation des instants où le signal sonore a été falsifié. Dans cette
thèse, nous proposons d’utiliser la représentation parcimonieuse bio-inspirée par graphe de
décharges (spikegramme), pour concevoir une nouvelle méthode permettant la localisation
de la falsification dans les signaux sonores. Aussi, une nouvelle méthode de protection du
droit d’auteur. Finalement, une nouvelle attaque perceptuelle, en utilisant le spikegramme,
pour attaquer des systèmes de tatouage sonore.
Nous proposons tout d’abord une technique de localisation des falsifications (‘tampering’)
des signaux sonores. Pour cela nous combinons une méthode à spectre étendu modifié
(‘modified spread spectrum’, MSS) avec une représentation parcimonieuse. Nous utilisons
une technique de poursuite perceptive adaptée (perceptual marching pursuit, PMP [Hossein
Najaf-Zadeh, 2008]) pour générer une représentation parcimonieuse (spikegramme) du
signal sonore d’entrée qui est invariante au décalage temporel [E. C. Smith, 2006] et qui
prend en compte les phénomènes de masquage tels qu’ils sont observés en audition. Un code
d’authentification est inséré à l’intérieur des coefficients de la représentation en spikegramme.
Puis ceux-ci sont combinés aux seuils de masquage. Le signal tatoué est resynthétisé à
partir des coefficients modifiés, et le signal ainsi obtenu est transmis au décodeur. Au
décodeur, pour identifier un segment falsifié du signal sonore, les codes d’authentification de
tous les segments intacts sont analysés. Si les codes ne peuvent être détectés correctement,
on sait qu’alors le segment aura été falsifié. Nous proposons de tatouer selon le principe
à spectre étendu (appelé MSS) afin d’obtenir une grande capacité en nombre de bits de
tatouage introduits. Dans les situations où il y a désynchronisation entre le codeur et le
décodeur, notre méthode permet quand même de détecter des pièces falsifiées. Par rapport
à l’état de l’art, notre approche a le taux d’erreur le plus bas pour ce qui est de détecter
les pièces falsifiées. Nous avons utilisé le test de l’opinion moyenne (‘MOS’) pour mesurer
la qualité des systèmes tatoués. Nous évaluons la méthode de tatouage semi-fragile par
le taux d’erreur (nombre de bits erronés divisé par tous les bits soumis) suite à plusieurs
attaques. Les résultats confirment la supériorité de notre approche pour la localisation des
pièces falsifiées dans les signaux sonores tout en préservant la qualité des signaux.
Ensuite nous proposons une nouvelle technique pour la protection des signaux sonores.
Cette technique est basée sur la représentation par spikegrammes des signaux sonores
et utilise deux dictionnaires (TDA pour Two-Dictionary Approach). Le spikegramme est
utilisé pour coder le signal hôte en utilisant un dictionnaire de filtres gammatones. Pour
le tatouage, nous utilisons deux dictionnaires différents qui sont sélectionnés en fonction
du bit d’entrée à tatouer et du contenu du signal. Notre approche trouve les gammatones appropriés (appelés noyaux de tatouage) sur la base de la valeur du bit à tatouer, et
incorpore les bits de tatouage dans la phase des gammatones du tatouage. De plus, il
est montré que la TDA est libre d’erreur dans le cas d’aucune situation d’attaque. Il est
démontré que la décorrélation des noyaux de tatouage permet la conception d’une méthode
de tatouage sonore très robuste.
Les expériences ont montré la meilleure robustesse pour la méthode proposée lorsque le
signal tatoué est corrompu par une compression MP3 à 32 kbits par seconde avec une
charge utile de 56.5 bps par rapport à plusieurs techniques récentes. De plus nous avons
étudié la robustesse du tatouage lorsque les nouveaux codec USAC (Unified Audion and
Speech Coding) à 24kbps sont utilisés. La charge utile est alors comprise entre 5 et 15 bps.
Finalement, nous utilisons les spikegrammes pour proposer trois nouvelles méthodes
d’attaques. Nous les comparons aux méthodes récentes d’attaques telles que 32 kbps MP3
et 24 kbps USAC. Ces attaques comprennent l’attaque par PMP, l’attaque par bruit
inaudible et l’attaque de remplacement parcimonieuse. Dans le cas de l’attaque par PMP,
le signal de tatouage est représenté et resynthétisé avec un spikegramme. Dans le cas de
l’attaque par bruit inaudible, celui-ci est généré et ajouté aux coefficients du spikegramme.
Dans le cas de l’attaque de remplacement parcimonieuse, dans chaque segment du signal,
les caractéristiques spectro-temporelles du signal (les décharges temporelles ;‘time spikes’)
se trouvent en utilisant le spikegramme et les spikes temporelles et similaires sont remplacés
par une autre.
Pour comparer l’efficacité des attaques proposées, nous les comparons au décodeur du
tatouage à spectre étendu. Il est démontré que l’attaque par remplacement parcimonieux
réduit la corrélation normalisée du décodeur de spectre étendu avec un plus grand facteur
par rapport à la situation où le décodeur de spectre étendu est attaqué par la transformation MP3 (32 kbps) et 24 kbps USAC.Abstract : Every year global music piracy is making billion dollars of economic, job, workers’ earnings
losses and also million dollars loss in tax revenues. Most of the music piracy is because of
rapid growth and easiness of current technologies for copying, sharing, manipulating and
distributing musical data [Domingo, 2015], [Siwek, 2007]. Audio watermarking has been
proposed as one approach for copyright protection and tamper localization of audio signals
to prevent music piracy. In this thesis, we use the spikegram- which is a bio-inspired sparse
representation- to propose a novel approach to design an audio tamper localization method
as well as an audio copyright protection method and also a new perceptual attack against
any audio watermarking system.
First, we propose a tampering localization method for audio signal, based on a Modified
Spread Spectrum (MSS) approach. Perceptual Matching Pursuit (PMP) is used to compute
the spikegram (which is a sparse and time-shift invariant representation of audio signals) as
well as 2-D masking thresholds. Then, an authentication code (which includes an Identity
Number, ID) is inserted inside the sparse coefficients. For high quality watermarking, the
watermark data are multiplied with masking thresholds. The time domain watermarked
signal is re-synthesized from the modified coefficients and the signal is sent to the decoder.
To localize a tampered segment of the audio signal, at the decoder, the ID’s associated to
intact segments are detected correctly, while the ID associated to a tampered segment is
mis-detected or not detected. To achieve high capacity, we propose a modified version of
the improved spread spectrum watermarking called MSS (Modified Spread Spectrum). We
performed a mean opinion test to measure the quality of the proposed watermarking system.
Also, the bit error rates for the presented tamper localization method are computed under
several attacks. In comparison to conventional methods, the proposed tamper localization
method has the smallest number of mis-detected tampered frames, when only one frame
is tampered. In addition, the mean opinion test experiments confirms that the proposed
method preserves the high quality of input audio signals.
Moreover, we introduce a new audio watermarking technique based on a kernel-based
representation of audio signals. A perceptive sparse representation (spikegram) is combined
with a dictionary of gammatone kernels to construct a robust representation of sounds.
Compared to traditional phase embedding methods where the phase of signal’s Fourier
coefficients are modified, in this method, the watermark bit stream is inserted by modifying
the phase of gammatone kernels. Moreover, the watermark is automatically embedded only
into kernels with high amplitudes where all masked (non-meaningful) gammatones have
been already removed. Two embedding methods are proposed, one based on the watermark
embedding into the sign of gammatones (one dictionary method) and another one based
on watermark embedding into both sign and phase of gammatone kernels (two-dictionary
method). The robustness of the proposed method is shown against 32 kbps MP3 with
an embedding rate of 56.5 bps while the state of the art payload for 32 kbps MP3 robust
iii
iv
watermarking is lower than 50.3 bps. Also, we showed that the proposed method is robust
against unified speech and audio codec (24 kbps USAC, Linear predictive and Fourier
domain modes) with an average payload of 5 − 15 bps. Moreover, it is shown that the
proposed method is robust against a variety of signal processing transforms while preserving
quality.
Finally, three perceptual attacks are proposed in the perceptual sparse domain using
spikegram. These attacks are called PMP, inaudible noise adding and the sparse replacement
attacks. In PMP attack, the host signals are represented and re-synthesized with
spikegram. In inaudible noise attack, the inaudible noise is generated and added to the
spikegram coefficients. In sparse replacement attack, each specific frame of the spikegram
representation - when possible - is replaced with a combination of similar frames located
in other parts of the spikegram. It is shown than the PMP and inaudible noise attacks
have roughly the same efficiency as the 32 kbps MP3 attack, while the replacement attack
reduces the normalized correlation of the spread spectrum decoder with a greater factor
than when attacking with 32 kbps MP3 or 24 kbps unified speech and audio coding (USAC)
Digital Watermarking for Verification of Perception-based Integrity of Audio Data
In certain application fields digital audio recordings contain sensitive content. Examples are historical archival material in public archives that preserve our cultural heritage, or digital evidence in the context of law enforcement and civil proceedings. Because of the powerful capabilities of modern editing tools for multimedia such material is vulnerable to doctoring of the content and forgery of its origin with malicious intent. Also inadvertent data modification and mistaken origin can be caused by human error. Hence, the credibility and provenience in terms of an unadulterated and genuine state of such audio content and the confidence about its origin are critical factors.
To address this issue, this PhD thesis proposes a mechanism for verifying the integrity and authenticity of digital sound recordings. It is designed and implemented to be insensitive to common post-processing operations of the audio data that influence the subjective acoustic perception only marginally (if at all). Examples of such operations include lossy compression that maintains a high sound quality of the audio media, or lossless format conversions. It is the objective to avoid de facto false alarms that would be expectedly observable in standard crypto-based authentication protocols in the presence of these legitimate post-processing. For achieving this, a feasible combination of the techniques of digital watermarking and audio-specific hashing is investigated.
At first, a suitable secret-key dependent audio hashing algorithm is developed. It incorporates and enhances so-called audio fingerprinting technology from the state of the art in contentbased audio identification. The presented algorithm (denoted as ”rMAC” message authentication code) allows ”perception-based” verification of integrity. This means classifying integrity breaches as such not before they become audible. As another objective, this rMAC is embedded and stored silently inside the audio media by means of audio watermarking technology. This approach allows maintaining the authentication code across the above-mentioned admissible post-processing operations and making it available for integrity verification at a later date. For this, an existent secret-key ependent audio watermarking algorithm is used and enhanced in this thesis work.
To some extent, the dependency of the rMAC and of the watermarking processing from a secret key also allows authenticating the origin of a protected audio. To elaborate on this security aspect, this work also estimates the brute-force efforts of an adversary attacking this combined rMAC-watermarking approach. The experimental results show that the proposed method provides a good distinction and classification
performance of authentic versus doctored audio content. It also allows the temporal localization of audible data modification within a protected audio file. The experimental evaluation finally provides recommendations about technical configuration settings of the combined watermarking-hashing approach.
Beyond the main topic of perception-based data integrity and data authenticity for audio, this PhD work provides new general findings in the fields of audio fingerprinting and digital watermarking. The main contributions of this PhD were published and presented mainly at conferences about multimedia security. These publications were cited by a number of other authors and hence had some impact on their works
Watermarking security
International audienceThis chapter deals with applications where watermarking is a security primitive included in a larger system protecting the value of multimedia content. In this context, there might exist dishonest users, in the sequel so-called attackers, willing to read/overwrite hidden messages or simply to remove the watermark signal.The goal of this section is to play the role of the attacker. We analyze means to deduce information about the watermarking technique that will later ease the forgery of attacked copies. This chapter first proposes a topology of the threats in Section 6.1, introducing three different concepts: robustness, worst-case attacks, and security. Previous chapter has already discussed watermark robustness. We focus on worst-case attacks in Section 6.2, on the way to measure watermarking security in Section 6.3, and on the classical tools to break a watermarking scheme in Section 6.4. This tour of watermarking security concludes by a summary of what we know and still do not know about it (Section 6.5) and a review of oracle attacks (Section 6.6). Last, Section 6.7 deals with protocol attacks, a notion which underlines the illusion of security that a watermarking primitive might bring when not properly used in some applications
Visual secret sharing and related Works -A Review
The accelerated development of network technology and internet applications has increased the significance of protecting digital data and images from unauthorized access and manipulation. The secret image-sharing network (SIS) is a crucial technique used to protect private digital photos from illegal editing and copying. SIS can be classified into two types: single-secret sharing (SSS) and multi-secret sharing (MSS). In SSS, a single secret image is divided into multiple shares, while in MSS, multiple secret images are divided into multiple shares. Both SSS and MSS ensure that the original secret images cannot be reconstructed without the correct combination of shares. Therefore, several secret image-sharing methods have been developed depending on these two methods for example visual cryptography, steganography, discrete wavelet transform, watermarking, and threshold. All of these techniques are capable of randomly dividing the secret image into a large number of shares, each of which cannot provide any information to the intrusion team. This study examined various visual secret-sharing schemes as unique examples of participant secret-sharing methods. Several structures that generalize and enhance VSS were also discussed in this study on covert image-sharing protocols and also this research also gives a comparative analysis of several methods based on various attributes in order to better concentrate on the future directions of the secret image. Generally speaking, the image quality generated employing developed methodologies is preferable to the image quality achieved through using the traditional visual secret-sharing methodology
Digital watermark technology in security applications
With the rising emphasis on security and the number of fraud related crimes
around the world, authorities are looking for new technologies to tighten
security of identity. Among many modern electronic technologies, digital
watermarking has unique advantages to enhance the document authenticity.
At the current status of the development, digital watermarking technologies
are not as matured as other competing technologies to support identity authentication
systems. This work presents improvements in performance of
two classes of digital watermarking techniques and investigates the issue of
watermark synchronisation.
Optimal performance can be obtained if the spreading sequences are designed
to be orthogonal to the cover vector. In this thesis, two classes of
orthogonalisation methods that generate binary sequences quasi-orthogonal
to the cover vector are presented. One method, namely "Sorting and Cancelling"
generates sequences that have a high level of orthogonality to the
cover vector. The Hadamard Matrix based orthogonalisation method, namely
"Hadamard Matrix Search" is able to realise overlapped embedding, thus the
watermarking capacity and image fidelity can be improved compared to using
short watermark sequences. The results are compared with traditional
pseudo-randomly generated binary sequences. The advantages of both classes
of orthogonalisation inethods are significant.
Another watermarking method that is introduced in the thesis is based
on writing-on-dirty-paper theory. The method is presented with biorthogonal
codes that have the best robustness. The advantage and trade-offs of
using biorthogonal codes with this watermark coding methods are analysed
comprehensively. The comparisons between orthogonal and non-orthogonal
codes that are used in this watermarking method are also made. It is found
that fidelity and robustness are contradictory and it is not possible to optimise
them simultaneously.
Comparisons are also made between all proposed methods. The comparisons
are focused on three major performance criteria, fidelity, capacity and
robustness. aom two different viewpoints, conclusions are not the same. For
fidelity-centric viewpoint, the dirty-paper coding methods using biorthogonal
codes has very strong advantage to preserve image fidelity and the advantage
of capacity performance is also significant. However, from the power
ratio point of view, the orthogonalisation methods demonstrate significant
advantage on capacity and robustness. The conclusions are contradictory
but together, they summarise the performance generated by different design
considerations.
The synchronisation of watermark is firstly provided by high contrast
frames around the watermarked image. The edge detection filters are used
to detect the high contrast borders of the captured image. By scanning
the pixels from the border to the centre, the locations of detected edges
are stored. The optimal linear regression algorithm is used to estimate the
watermarked image frames. Estimation of the regression function provides
rotation angle as the slope of the rotated frames. The scaling is corrected by
re-sampling the upright image to the original size. A theoretically studied
method that is able to synchronise captured image to sub-pixel level accuracy
is also presented. By using invariant transforms and the "symmetric
phase only matched filter" the captured image can be corrected accurately
to original geometric size. The method uses repeating watermarks to form an
array in the spatial domain of the watermarked image and the the array that
the locations of its elements can reveal information of rotation, translation
and scaling with two filtering processes
Triple scheme based on image steganography to improve imperceptibility and security
A foremost priority in the information technology and communication era is achieving an effective and secure steganography scheme when considering information hiding. Commonly, the digital images are used as the cover for the steganography owing to their redundancy in the representation, making them hidden to the intruders. Nevertheless, any steganography system launched over the internet can be attacked upon recognizing the stego cover. Presently, the design and development of an effective image steganography system are facing several challenging issues including the low capacity, poor security, and imperceptibility. Towards overcoming the aforementioned issues, a new decomposition scheme was proposed for image steganography with a new approach known as a Triple Number Approach (TNA). In this study, three main stages were used to achieve objectives and overcome the issues of image steganography, beginning with image and text preparation, followed by embedding and culminating in extraction. Finally, the evaluation stage employed several evaluations in order to benchmark the results. Different contributions were presented with this study. The first contribution was a Triple Text Coding Method (TTCM), which was related to the preparation of secret messages prior to the embedding process. The second contribution was a Triple Embedding Method (TEM), which was related to the embedding process. The third contribution was related to security criteria which were based on a new partitioning of an image known as the Image Partitioning Method (IPM). The IPM proposed a random pixel selection, based on image partitioning into three phases with three iterations of the Hénon Map function. An enhanced Huffman coding algorithm was utilized to compress the secret message before TTCM process. A standard dataset from the Signal and Image Processing Institute (SIPI) containing color and grayscale images with 512 x 512 pixels were utilised in this study. Different parameters were used to test the performance of the proposed scheme based on security and imperceptibility (image quality). In image quality, four important measurements that were used are Peak Signal-to-Noise Ratio (PSNR), Structural Similarity Index (SSIM), Mean Square Error (MSE) and Histogram analysis. Whereas, two security measurements that were used are Human Visual System (HVS) and Chi-square (X2) attacks. In terms of PSNR and SSIM, the Lena grayscale image obtained results were 78.09 and 1 dB, respectively. Meanwhile, the HVS and X2 attacks obtained high results when compared to the existing scheme in the literature. Based on the findings, the proposed scheme give evidence to increase capacity, imperceptibility, and security to overcome existing issues
ID Photograph hashing : a global approach
This thesis addresses the question of the authenticity of identity photographs, part of the documents required in controlled access. Since sophisticated means of reproduction are publicly available, new methods / techniques should prevent tampering and unauthorized reproduction of the photograph. This thesis proposes a hashing method for the authentication of the identity photographs, robust to print-and-scan. This study focuses also on the effects of digitization at hash level. The developed algorithm performs a dimension reduction, based on independent component analysis (ICA). In the learning stage, the subspace projection is obtained by applying ICA and then reduced according to an original entropic selection strategy. In the extraction stage, the coefficients obtained after projecting the identity image on the subspace are quantified and binarized to obtain the hash value. The study reveals the effects of the scanning noise on the hash values of the identity photographs and shows that the proposed method is robust to the print-and-scan attack. The approach focusing on robust hashing of a restricted class of images (identity) differs from classical approaches that address any imageCette thèse traite de la question de l’authenticité des photographies d’identité, partie intégrante des documents nécessaires lors d’un contrôle d’accès. Alors que les moyens de reproduction sophistiqués sont accessibles au grand public, de nouvelles méthodes / techniques doivent empêcher toute falsification / reproduction non autorisée de la photographie d’identité. Cette thèse propose une méthode de hachage pour l’authentification de photographies d’identité, robuste à l’impression-lecture. Ce travail met ainsi l’accent sur les effets de la numérisation au niveau de hachage. L’algorithme mis au point procède à une réduction de dimension, basée sur l’analyse en composantes indépendantes (ICA). Dans la phase d’apprentissage, le sous-espace de projection est obtenu en appliquant l’ICA puis réduit selon une stratégie de sélection entropique originale. Dans l’étape d’extraction, les coefficients obtenus après projection de l’image d’identité sur le sous-espace sont quantifiés et binarisés pour obtenir la valeur de hachage. L’étude révèle les effets du bruit de balayage intervenant lors de la numérisation des photographies d’identité sur les valeurs de hachage et montre que la méthode proposée est robuste à l’attaque d’impression-lecture. L’approche suivie en se focalisant sur le hachage robuste d’une classe restreinte d’images (d’identité) se distingue des approches classiques qui adressent une image quelconqu