ResGuard: Enhancing Robustness Against Known Original Attacks in Deep Watermarking

TL;DR

ResGuard is a plug-and-play module that significantly improves the robustness of deep watermarking against known original attacks by enforcing image-dependent residuals and enhancing security.

Contribution

It introduces a residual specificity enhancement loss and an auxiliary KOA noise layer to make watermark residuals more image-dependent and resistant to targeted removal strategies.

Findings

Watermark removal accuracy improved from 59.87% to 99.81%.

ResGuard effectively defends against residual-based removal attacks.

The method enhances robustness without sacrificing visual quality.

Abstract

Deep learning-based image watermarking commonly adopts an "Encoder-Noise Layer-Decoder" (END) architecture to improve robustness against random channel distortions, yet it often overlooks intentional manipulations introduced by adversaries with additional knowledge. In this paper, we revisit this paradigm and expose a critical yet underexplored vulnerability: the Known Original Attack (KOA), where an adversary has access to multiple original-watermarked image pairs, enabling various targeted suppression strategies. We show that even a simple residual-based removal approach, namely estimating an embedding residual from known pairs and subtracting it from unseen watermarked images, can almost completely remove the watermark while preserving visual quality. This vulnerability stems from the insufficient image dependency of residuals produced by END frameworks, which makes them transferable across images. To address this, we propose ResGuard, a plug-and-play module that enhances KOA robustness by enforcing image-dependent embedding. Its core lies in a residual specificity enhancement loss, which encourages residuals to be tightly coupled with their host images and thus improves image dependency. Furthermore, an auxiliary KOA noise layer injects residual-style perturbations during training, allowing the decoder to remain reliable under stronger embedding inconsistencies. Integrated into existing frameworks, ResGuard boosts KOA robustness, improving average watermark extraction accuracy from 59.87% to 99.81%.