Patent Application
20060257001
The present invention relates to method and apparatus for detecting tampering in a watermarked information signal, for example, a multimedia signal, such as audio, video or data signals.
Watermarking of information signals is a technique for the transmission of additional data along with the information signal. For instance, watermarking techniques can be used to embed copyright and copy control information into audio signals.
Many watermark applications rely on the assumption that the watermark is secure. In the context of watermarking, security refers to the inability of an unauthorised user to have access to the raw watermarking data. In other words, an unauthorised user (“hacker”) should not be able to remove, detect, estimate, write or modify the raw watermarking data.
One example of such an attack is the so called “averaging-attack”. This attack makes use of the fact that the watermark is embedded with some redundancy, i.e. the watermark is repeated. If this repetition pattern is known or can be estimated (either by trial-and-error, experiment, or by studying related documents), the information signal may be averaged over time.
For instance, if the information signal is an audio signal, the averaging could be done in either the temporal or spectral domain (depending upon the watermark embedding technique utilised). As the audio signal is expected to change over time, whilst the watermark remains constant, the watermark signal will be accumulated coherently. Thus, by averaging a sufficient amount of audio signal, a relatively accurate estimate of the watermark can be made. Subsequently, knowledge of this watermark may be used to modify the information signal to remove or render unrecognisable the watermark signal. For instance, assume that a watermark signal is utilised to provide copy-protection, then if the watermark is modified so as to be unrecognisable by a detector, this will allow the information signal to be copied.
In order to make the watermark more robust to hacking attacks such as averaging, WO 01/99049 describes a method of embedding a watermark in an information signal by embedding different versions of the watermark in successive portions of the signal. The versions are different with respect to a property that is irrelevant for detection of the watermark.
WO 01/39121 describes a method of embedding a watermark in an information signal, the watermark being selected from a set of different watermarks in dependence upon a predetermined property of the signal. For example, the distribution of luminance values of a video image may be determined, and a watermark selected based upon the determined luminance value.
The inventors have also developed a more robust watermarking technique described in European Patent application number 02078615.8 (docket number PHNL020825) hereinafter referred to as [Veen 2002] in which at least two different watermarks are randomly embedded in an information signal. The watermarks are different with respect to a property which is relevant for detection of each watermark and an averaging type attack carried out against such a watermarking system will be unsuccessful as there is no predefined pattern for embedding the two watermarks.
Although such methods enhance the security of the watermark and make averaging attacks more difficult, it is also useful to be able to detect instances in which a watermarked information signal has been attacked. If an attack can be detected, then appropriate action such as denying an end user access to playback rights to the information content of the attacked signal may be desirable.
It is an aim of embodiments of the present invention to provide methods and apparatus for tamper detection in a watermarked information signal.
It is a further aim of embodiments of the invention to provide methods and apparatus in which when tampering has been detected, access to information in a watermarked signal is denied.
It is a still further aim to provide a method and apparatus in which tampering may be traced to a user or group of users.
According to a first aspect of the invention, there is provided a method of tamper detection in watermarking systems, the method comprising a comparison operation carried out during detection in which a watermark detected within a received information signal is compared to an expected watermark, the comparison operation being such that a property which is relevant for the positive detection of the expected watermark is compared to the equivalent property of the detected watermark, and if said property is detected as being altered then tampering is deemed to have taken place.
In the above method, a simple comparison between a property of an expected and the equivalent property of the detected watermark to check for alteration in the property is sufficient to yield a decision on whether tampering has occurred or not.
Preferably, in the comparison operation a received watermark is correlated with an expected watermark and if the correlation is sufficiently negative, it is decided that tampering with the information signal has occurred.
A second aspect provides a method for detecting a watermark comprising the steps of:
receiving a potentially watermarked multimedia signal;
estimating the embedded watermark sequence in the said multimedia signal; correlating said estimated watermark with a reference watermark; and
comparing a resulting correlation peak against a threshold level so as to determine if there has been tampering or not
Correlation checks of this kind provide an extremely simple and effective means of comparison and sufficiently highly negative correlation is compelling evidence that an averaging attack has taken place.
A third aspect concerns a method of detecting tampering with a watermark in an information signal, comprising the steps of: receiving an information signal that may potentially be tampered with and which is potentially watermarked with at least one watermark randomly embedded in the original information signal; analysing said signal so as to detect said watermark; comparing the detected watermark with the expected watermark; and
if said detected watermark comprises an approximate negative version of the expected watermark then determining that tampering has occurred.
With randomly embedded watermarks, a hacker is highly likely during averaging attacks to erroneously insert negative versions of the watermark at signal positions not matching the positions of the original watermark and the detection of such negative versions provides a convenient means of assessing whether tampering has occurred.
Preferably, the detected watermark carries a payload which is specific to a user or group of users, and tampering with the watermark is indicative of tampering by the user or group of users. The provision of user specific payloads in this manner enables the forensic tracking of hackers who may then be dealt with in an appropriate fashion.
A fourth aspect of the invention provides an apparatus arranged to detect a watermark in an information signal, the apparatus comprising an estimator for estimating the presence of a watermark in a received multimedia system, and a comparison module for comparing the estimated watermark with an expected watermark and deciding that tampering has taken place if the comparison module shows a sufficiently negative correlation between the estimated and expected watermarks.
In a fifth aspect, there is provided an apparatus arranged to detect tampering with a watermark in an information signal comprising:
receiving means arranged to receive a signal that may potentially be watermarked by at least one watermark randomly embedded in the original information signal;
first analysing means arranged to analyse said signal so as to detect said watermark; and
second analysing means arranged to analyse said watermark so as to detect whether said watermark is a close match to an expected watermark, wherein said second analysing means is arranged to detect both positive correlation and negative correlation peaks between the received and expected watermarks, a sufficiently high positive correlation peak indicating correct receipt of a watermark and a sufficiently high negative correlation peak indicating that the information signal has been tampered with.
Other aspects of the invention will be apparent from the dependent claims.
For a better understanding of the invention, and to show how embodiments of the same may be carried into effect, reference will now be made, by way of example only, to the accompanying diagrammatic drawings in which:
The embedding algorithms are different, such that the watermark generated by the algorithms will be different with respect to a property relevant for detection of the watermark. This can be achieved by using completely different algorithms (such as the ones mentioned above), or alternately using substantially the same algorithms but changing the parameters that define the watermark, such as the key and/or payload.
A property which is relevant for detection of the watermark is the property of the watermark that must be known in order to successfully detect the watermark. For instance, one should know which watermark system and its respective key (e.g., Emb1/Detect1/Key1) is being used. By using another detection system and/or key (e.g. Emb1/Detect2/Key1) one would, in general, fail to correctly detect the watermark.
Emb 1 is applied to a copy of an information signal to produce a signal with watermark w1 (step 110). Similiarly, Emb 2 is applied to a copy of the same information signal to produce a signal with watermark w2 (step 120).
Both the signal containing w1 and the signal containing w2 are passed to a multiplexing module.
The multiplexing module acts to randomly switch between the two input signals in accordance with a randomly generated multiplexing function mux[n] (step 130).
The function mux[n] determines the way the signals carrying w1 and w2 are multiplexed into a single signal. This is generally done by mixing the two signals with the relative weights of α and β, respectively (i.e. the signals are mixed with different relative strengths; in the simplest case, different amplitudes al). When the weights α, β are random binary digits with α=1−β, the output signal is generated by randomly multiplexing the two signals. The mux[n] function also determines the time duration for which the individual signals are proposed.
The resulting output signal, as determined by the function mux[n] is then applied to the original information signal, resulting in a watermarked signal.
By randomly varying the embedding parameters as described above and in [Veen 2002], the security of the watermark is improved, as it is very difficult for a hacker to average the resulting signal to identify the watermark. Whilst other watermarking techniques have used mapping functions to change the signal properties of the watermark, a hacker having knowledge of the type of mapping function can design a more appropriate attack. As in this instance the mapping function (i.e. the multiplexing function) is randomly generated, it is difficult for a hacker to design a better averaging attack.
The watermark signal y is subsequently output from the embedder (100), for onwards transmission (200), or for storage e.g. in a computer memory or on a recording medium such as a compact disc.
At the detector (300), the signal y is received and/or read. Subsequently, a copy of the signal y is passed to each of the detecting modules, (310, 320). Each detecting module is utilised to detect a respective watermark i.e. the first detecting module can only detect the watermark w1 (310), and the second detecting module (320) can only detect the watermark w2 (320). In this instance, the detection is carried out using a respective key (Key 1, Key 2), as used by the original embedding algorithm to generate the respective watermark w1, w2. At each detecting module, the respective payload (Payload 1, Payload 2) is also extracted (310, 320).
Information on the presence of one or both of the watermarks can be used to convey information such as copy-control conditions. Alternatively, such information can be included in one or more of the payloads of the watermarks.
In principle, any value for the relative weights α, β can be used. A particular preferred embodiment utilises a binary decision, and swaps between α=1, β=0; and α=0, β=1. This effectively results in time-domain multiplexing of the watermark signal, as only one watermark signal is applied to the information signal at any given time.
The above method describes a scenario by which an information signal may be watermarked in a robust manner which is highly resistant to averaging attacks.
Supposing that an averaging attack is made upon the information signal, a method of discovering that such an attack has been made, will now be described in relation to
The tamper detection module is designated generally in-figure 2 as (400) and comprises an estimator E (420), a correlator C (440) and a comparison module (460).
In the tamper detection module of
For a given threshold −T, one can determine that the probability of falsely identifying an averaging attack, assuming that the negative correlation peak is uniformly distributed within the signal y[n] is given by pt=0.5×erfc(T/√2).
To explain the above method further, let us assume that a hacker has managed to estimate an embedded watermark carried in a watermarked signal, such as a copy protected audio signal. Here, in order to remove the copy protection, the hacker will attempt to embed the negative of his estimated watermark throughout the signal at the places in which he believes the original watermark is present. Embedding the negative, if successful, would remove the watermark from the signal so that detection circuitry working on the newly fabricated signal would fail to find any watermark and the copy protection or other features which relied upon such watermarking would be negated.
So, a hacker employing the above type methods will, due to the random nature of the watermarking method used in the arrangements of
To be more specific, an example is now given in which an original watermarked signal y[n] carries a random time-multiplexed mixture wy[n] of watermarks A and B as shown in
In the above, we have tacitly assumed that the hacker is possibly able to estimate A, or B, but that the locations at which the watermarked process switches from A to B and vice versa cannot be (or are not) detected with sufficient accuracy. The method still works however if the hacker were able to estimate both A AND B, but was unable to accurately replicate the locations at which the watermarks switch. Such a discussion will also work in cases of [Veen 2002] where B=0 (or indeed A=0), i.e., a system in which there is a randomly embedded single watermark.
Although the above tamper detecting procedures have been discussed in relation to [Veen 2002], it will be appreciated that they may also be applied to other watermarking schemes in which a watermark is randomly embedded, as in all such systems the information gained in one segment of (for example) audio is not exactly the same as that obtained from another segment. Thus, whenever one tries to subtract an estimate of a watermark obtained in one segment from the same or another segment of audio, one introduces new detection behaviours that were not in the originally watermarked content.
Another aspect of the invention relates to forensic tracking in which it is possible to identify a hacker as being a particular user or restricted group of users.
It will be recalled from the discussion of
In a system containing a randomised watermark, it has been shown how an averaging attack results in the embedding of an opposite polarity watermark in some portions of the content. This means that, except for the polarity reversal, the watermark payload is preserved and, if a unique payload is associated with a given user, then this individual may be traced as being the hacker.
It will be evident that any number of decisions may be made following the detection of tampering. For instance, playback of the hacked information signal may be disabled.
Whilst the invention has been particularly described in relation to the randomised watermarking system of [Veen 2002], the methods can be extended to detect any unsuccessful averaging attack in any watermarking system whose polarity is invariant to signal inversion.
Whilst the above embodiment has been described in relation to a time-domain signal, it will be appreciated that the principles discussed in relation to tamper detection and tracking can occur in any of the domains utilised in the information signal e.g. within the frequency or spatial domains of a video signal.
A copy of the information signal x is subsequently passed to an adder 150, a first embedder 112, and a second embedder 122.
Each of the embedders (112, 122) is arranged so as to apply a respective embedding algorithm (Emb 1, Emb 2) to the information signal x, so as to output respective watermarks w1 and w2 with their respective payloads Payload 1, Payload 2.
Each of the watermarks w1, w2 is applied to a respective gain control unit (132, 134). These gain control units (132, 134) are utilised to control the relative weights α, β of the watermarks w1, w2. The values of α and β at any given time are determined by the multiplex function control unit 136. Both outputs of the gain control unit (132, 134) are provided to an adder 138. The adder outputs the overall watermark signal w, which is a random combination of the two separate original watermark signals w1, w2.
The overall watermark signal w is added to the original information signal x by adder 150, so as to form the watermarked information signal y. The watermarked information signal y is provided to the output (160) of the embedder.
The detector 300 constitutes receiving means for receiving the transmitted watermark information signal y′ at input 302. One copy of the received signal y′ is supplied to first analyzing means comprising a first detector 310 and a second detector 320.
The first and second detectors are each arranged to detect a respective watermark only. I.e., the first detector 310 is specifically arranged to detect whether or not the watermark w1 or its inverse −w1 is within the signal, and the second detector 320 is specifically arranged to detect whether the watermark w2 or its inverse −w2 is within the received information signal y′.
If desired, the detectors (310, 320) may also be utilised to determine any payload incorporated within the respect watermark w1, w2.
Each detector outputs the results to a decision stage 338 constituting second analyzing means. The decision stage (338) includes the correlator function to determine whether the detected watermark has a negative or positive correlation to the expected watermark (w1 or w2). Next, based upon the relevant input e.g. whether both or either of the watermarks are present, and whether in a threshold detecting process a negative correlation peak of a watermark is found to exceed a threshold level, then the appropriate control information to be passed to output 340 is determined. For instance, copy-control information could be determined based upon whether both or either one of the watermarks are present, or upon one or more of the payloads of the watermarks and in the event of detection of an averaging attack, access to signal information may be denied and forensic tracking via the payload information may be instigated.
In similar fashion to the above, received watermark W2′ and an expected watermark W2 are tested for positive correlation in step S3. If there is a positive correlation, then decision D1 is arrived at that there is “no apparent tampering”. If correlation is however found to be negative, then step S4 is undertaken to check the extent of negative correlation. If the negative correlation is less than a threshold value T2, then the decision D1 is taken that there is “no apparent tampering”, whilst if the negative correlation exceeds the threshold value T2, then decision D2 is made, showing “detection of tampering”.
As before, it will be evident that once a decision has been made that tampering is present, further action may be decided to be carried out, such as forensic tracking, blocking of access to information content of the signal etc.
It will be appreciated that the above embodiments are provided by way of example only. For instance, the embodiments have been described utilising only two different watermarks. It will be appreciated that three or more different watermarks could be utilised, with an appropriate random function to control the embedding of all of the watermarks within a host information signal. It will also be appreciated that the tamper detection will also work in situations in which a single watermark is randomly embedded.
Whilst only the functionality of the tamper detecting apparatus has been described, it will be appreciated that either the apparatus could be realised as a digital circuit, an analogue circuit, a computer program, or a combination of thereof.
Within the specification, it will be appreciated that the word “comprising” does not exclude other elements or steps, that “a” or “an” does not exclude a plurality, and that a single processor or other unit may fulfil the functions of several means recited in the claims.
The invention can be summarized as follows. The invention relates to watermarking systems, which irregularly change the embedded watermark so as to avoid hacking the system by averaging-attacks. In averaging-attacks, segments of the watermarked signal are accumulated. This causes the host signal to be cancelled out whereas the embedded watermark accumulates coherently. A watermark A thus determined is then subtracted by a hacker from the watermarked signal.
The invention exploits the insight that the hacker does not know when the embedded watermark changes (from A to B, or from A to none). Accordingly, fragments of the hacked signal will contain the negative watermark −A being unintentionally embedded by the hacker. This causes the watermark detector to produce a correlation peak of opposite polarity. The invention resides in the detection of such a negative peak, and concluding therefrom that the signal has been tampered. The payload of the watermark is preserved. This provides the possibility to trace back the hacker.
| Number | Date | Country | Kind |
|---|---|---|---|
| 03103374.9 | Sep 2003 | EP | regional |
| Filing Document | Filing Date | Country | Kind | 371c Date |
|---|---|---|---|---|
| PCT/IB04/51575 | 8/26/2004 | WO | 3/3/2006 |
