Decoupling Defense Strategies for Robust Image Watermarking

TL;DR

This paper introduces AdvMark, a two-stage fine-tuning framework that decouples defense strategies to enhance robustness of deep learning-based image watermarking against various attacks while maintaining high image quality.

Contribution

The paper proposes a novel two-stage decoupled approach for robust image watermarking, addressing adversarial and distortion attacks separately to improve robustness and visual quality.

Findings

Achieves up to 29% accuracy improvement against distortion attacks.

Achieves up to 33% accuracy improvement against regeneration attacks.

Achieves up to 46% accuracy improvement against adversarial attacks.

Abstract

Deep learning-based image watermarking, while robust against conventional distortions, remains vulnerable to advanced adversarial and regeneration attacks. Conventional countermeasures, which jointly optimize the encoder and decoder via a noise layer, face 2 inevitable challenges: (1) decrease of clean accuracy due to decoder adversarial training and (2) limited robustness due to simultaneous training of all three advanced attacks. To overcome these issues, we propose AdvMark, a novel two-stage fine-tuning framework that decouples the defense strategies. In stage 1, we address adversarial vulnerability via a tailored adversarial training paradigm that primarily fine-tunes the encoder while only conditionally updating the decoder. This approach learns to move the image into a non-attackable region, rather than modifying the decision boundary, thus preserving clean accuracy. In stage 2, we tackle distortion and regeneration attacks via direct image optimization. To preserve the adversarial robustness gained in stage 1, we formulate a principled, constrained image loss with theoretical guarantees, which balances the deviation from cover and previous encoded images. We also propose a quality-aware early-stop to further guarantee the lower bound of visual quality. Extensive experiments demonstrate AdvMark outperforms with the highest image quality and comprehensive robustness, i.e. up to 29\%, 33\% and 46\% accuracy improvement for distortion, regeneration and adversarial attacks, respectively.