數位內容保護與多媒體趨勢研 討會 主講人：呂俊賢博士 中央研究院 資訊科學研究所 助研究員 12/18/2004 高雄第一科技大學 報告者：馮振邦

2 Outline Digital Watermarking Semi-Fragile Watermarking Steganography Media Hashing

3 Why IPR Protection? Analog MediaDigital Media Original Copy 1Copy N ¼¼  Original Copy 1Copy N == =

4 Traditional Protection Method: Encryption Protect confidentially Protection vanishes after decryption Original Data Encrypted Data Unprotected Data Secret Key EncryptDecrypt

5 New Protection Technologies: Watermarking and Hashing Digital Watermarking (Data Hiding) Content has to be modified (a data hiding technique) Contents to be protected must be watermarked Measures “ originality ” Stand-along Media Hashing (Fingerprinting) Content is not modified (a non-hiding technique) Can track the usage of contents already available in the public domain Measure “ similarity ” Connection to database required

6 Applications Data Hiding Copyright Protection Robust Watermarking Traitor Tracing Digital Fingerprinting Content Authentication Semi-Fragile Watermarking Secret Communication Steganography Non-Hiding Illegal Copy Detection/Searching Media Hashing

7 Types of Digital Watermarking Visible Watermarking Invisible Watermarking

8 Data Correction (denoising)

9 Terminology Cover (original, host) data Image, video, audio, 3D object, graphics, … Stego (watermarked) data Suspect (attacked/stego/unmarked) data Watermark Hidden signal/message/logo

10 Transparency Both cover data and stego data should be perceptually indistinguishable Techniques Heuristic-determined weighted (low-amplitude modifications) Human Visual System (HVS) DCT-based (vision.arc.nasa.gov/personnel/al/ahumada.html) Image dependent Wavelet-based (Watson et al. ’ 97) Image independent Noise Visibility Function (NVF) (Voloshynovskiy et al. ‘ 99)

11 Wavelet-based HVS LH HL HH Watson et al., IEEE Trans. Image Proc, ’ 97

12 Noise Visibility Function (NVF) Voloshynovskiy et al. ’ 99 NVF is defined as 01 NVF smoothcomplex

13 Robustness Def. – The ability to resist against attacks Attacks are only considered useful if the hidden watermark could be removed or undetectable before the quality of data has been destroyed

14 Watermark Attacks Watermarking Attacks Removal Attack Geometrical Attack Cryptographic Attack Protocol Attack Denoising Lossy compression Quantization Remodulation Collusion Averaging Global, local warping Global, local transforms Jittering Brute force key search Oracle Watermark inversion Copy attack Voloshynovskiy et al. “ attacks modeling: towards a second generation watermarking benchmark, ” Signal Processing, 2001 Kutter and Petitcolas, “ A fair benchmark for image watermarking systems, ” Proc. SPIE99

15 Dispute Attack: Single Watermarked Image Counterfeit Original (Craver et al. ‘ 98) Original watermark stego + Faked Watermark - Faked

16 Dispute Attack: Twin Watermarking Image Counterfeit Original (TWICO) (Craver et al. ’ 98) Original watermark Stego 1 + Faked Watermark + Fake Original Stego 2 ¼

17 Copy Attack (Kutter et al. ‘ 00) Watermark extraction Watermark insertion Watermarked image Counterfeit Watermarked image

18 Self-Reference Watermark (Kutter ‘ 98)

19 Capacity Payload of watermarks One-bit information Indicates whether of not the image contains a specified watermark Suitable for tamper proofing application Multiple-bit information Useful information such as an identification number, copyright statement, etc. can be hidden At least 64-bit payload is required

20 Detection (Decryption) Only a trusted third party Secret keys won ’ t be exposed Use different parameters (private/public key) The knowledge of detection algorithm and public key should not be the clue At present, both robustness and security are still insufficient in the public watermarking paradigm Blind vs. Non-blind

21 Performance Evaluation False positive Actually no, but the algorithm returned yes False negative Actually yes, but the algorithm returned no

22 ROC (Receiver Operating Characteristic) Curves X- 軸是 1-Specificity = 1 - TN/(TN+FP) = FP/(TN+FP) 也就是 False Positive Rate Y- 軸是 Sensitivity = TP/(TP+FN) 也就是 True Positive Rate

23 藍色為物件為假，綠色為真 黃色為判斷為真，橘色為判斷為假

24 如果預測越接近真實, 就是說預測會越接 近左上角. 另外, 測試結果也可以記錄起來, 如果測 試結果的連線, 越接近左上角的 excellent test 就是越好的. 如果越接近中間的 worst case 就是越差的, 以此可以用作測量您的 實驗是否準確 ~

25 Digital Watermarking Products Giovanni (blueSpike, SysCop (MediaSec Technologies, Digimark Watermarking Solutions, (Digimarc, AudioMark, VideoMark (Alpha-Tec Ltd,

26 Watermarking Resources Digital Watermarking World – papers, images, softwares, … Watermarking mailing list Watermarking conferences IHW (Information Hiding Workshop) ACM Multimedia and Security Workshop SPIE: Conference on Security, Watermarking, and Steganography of Multimedia Contents IEEE: ICIP, ICME, MMSP, ICASSP, ISCAS, etc.

Semi-Fragile Watermarking For Content Authentication and Error Recovery

28 Seen is believing?

29 Authentication Capability Global/Local Authentication Global detection Even one bit error will lead to global incredibility Local detection Can locate where the content has been tampered with Fragility/Robustness Totally fragile All manipulations are regarded as malicious tampering Military and medical images Need both fragile and robust abilities Permit incidental modifications Lossless embedding Military and medical images Error recovery

30 Authentication Attacks Content-changing (malicious) modifications -Object detection/replacement, object swapping Content-preserving (incidental) modifications Compression, filtering

31 Semi-Fragile Watermarking Requirements Robustness Resist incidental manipulations (content-preserving processing) Fragility Locate malicious tampering (content-changing processing) Other general watermarking requirements

32 Kundur and Hatzinakos ’ s Method (Proc. IEEE ’ 99): Embedding Process Multimedia signal DHWT Quantization IDHWT Marked Signal Watermark Selection key Value of ∆

33 Multipurpose Watermarking Mintzer and Braudaway (ICASSP ’ 99) Conception about how different watermarks for different purposes are embedded Lu and Liao (IEEE IP ’ 00) Non-blind detection Deguillaume et al. (Signal Processing ’ 03) Joining a robust watermark and a fragile watermark Copyright protection is achieved by embedding multiple redundant watermarks to resist geometric distortions The embedded block-based watermarks are easily removed by the collusion attack (Lu and Hsu, 2003) Lu and Hsu (ICME ’ 04) Single block-based content-dependent watermark for both purposes

34 Semi-Fragile Watermarking for Error Detection and Concealment Transmission of digital contents in noise-prone environments suffers from packet loss or bust error

35 Data hiding-based Error Resilience Error detection (Authentication) Fragile watermark is inserted to reflect errors Error concealment (self-embedding) Recovery information generated from the original data should be embedded How many recovery bits (capacity)? Robust against modifications (robustness) Advantage Watermarked bit stream remains standard compliant Weakness Trade-off between intrusiveness and correction capacity

36 Semi-Fragile Watermarking Conclusions Design a method to detect malicious tampering is trivial Resistance to incidental modifications is a major issue Security is challenging Collage (Replacement) Attack Collusion and Copy Attacks

Steganography For Secret Communications

38 Steganography Covert communication: Transmission of a secret message hidden within an ordinary carrier without reveal its existence Requirements Security (statistical undetectibility) Capacity Robustness (optional)

39 Earlier Steganography Apparently neutral ’ s protest is thoroughtly discounted and ignored. Isman hard hit. Blockade issue affects pretext for embargo on by products. Ejecting suets and vegetable oils. … Pershing sails from NY June 1. Taking the second letter in each word

40 Steganography vs. Watermarking PropertyWatermarkingSteganography ModulationSubstantialLittle~moderate ImperceptibilityPerceptualStatistical RobustnessHighDepend on warden ’ s capacity Data importanceCarrier/messageMessage Selection of CarrierCannot be selectedCan be selected AdversaryActivePassive/active

41 Types of Warden Passive Can only snoop channel Active Can subtly manipulate channel Format converting Palette changing Lossy compressing Compression quality changing Low-pass filtering Scaling

42 Steganography Techniques Spatial domain techniques Least Significant Bit (LSB) Palette-based embedding Spread spectrum Frequency domain techniques Quantized embedding (embedding in JPEG image) Direct embedding

43 Steganography Conclusions Secret communication is everywhere around us today Steganography is still at an early stage of research Steganography robust against active warden Notion of security and capacity for Steganography needs to be investigated

Media Hashing (Digital Fingerprinting) For Traitor Tracing

45 Track 1 Architecture for Robust Identification of Media Content Track Track 1 Meta data Fingerprint Generator Database Compare Fingerprint Generator Test Track If match Return Track ID Confidence

46 Perceptual Hashing The fragility of cryptography hashing is too restricted Media data permits acceptable distortions Media hashing needs Robustness (error-resilience) Collision-free Fast searching (complexity) Scalability

47 Robust Signal Hashing Problem Hash(Baboon) = XXX … Hash(Lena) = YYY … Hash(Lena 2) = ZZZ … Should be very different Should be sufficiently similar

Robust Mesh-based Hashing for Copy Detection and Tracing of Images Chun-Shien Lu, Chao-Yong Hsu, Shih-Wei Sun, and Pao-Chi Chang Proc. IEEE Int. Conf. on Multimedia and Expo: special session on Media Identification, Taipei, Taiwan, 2004 Reporter: Jen-Bang Feng

49 The Proposed Method DWT Original image Harris detector Delaunay tesslation Mesh normalization Mesh-based Hash extraction Lowest-frequency component Mesh generation Normalized meshes Hash sequence

50 The Proposed Method

51 Mesh Normalization A B C MkMk A’A’ B’B’ C’C’ M k norm

52 Mesh-Based Hashing 32 4x4 DCT Total 64 blocks 64 bits per mesh, half 1 ’ s and half 0 ’ s