First-Place Solution to NeurIPS 2024 Invisible Watermark Removal Challenge

Content watermarking is an important tool for the authentication and copyright protection of digital media. However, it is unclear whether existing watermarks are robust against adversarial attacks. We present the winning solution to the NeurIPS 2024 Erasing the Invisible challenge, which stress-tests watermark robustness under varying degrees of adversary knowledge. The challenge consisted of two tracks: a black-box and beige-box track, depending on whether the adversary knows which watermarking method was used by the provider. For the beige-box track, we leverage an adaptive VAE-based evasion attack, with a test-time optimization and color-contrast restoration in CIELAB space to preserve the image's quality. For the black-box track, we first cluster images based on their artifacts in the spatial or frequency-domain. Then, we apply image-to-image diffusion models with controlled noise injection and semantic priors from ChatGPT-generated captions to each cluster with optimized parameter settings. Empirical evaluations demonstrate that our method successfully achieves near-perfect watermark removal (95.7%) with negligible impact on the residual image's quality. We hope that our attacks inspire the development of more robust image watermarking methods.

Key Contributions

• Adaptive VAE-based evasion attack for beige-box watermark removal with test-time optimization and CIELAB color-contrast restoration
• Black-box watermark removal via frequency/spatial artifact clustering followed by diffusion-based purification guided by ChatGPT-generated semantic captions
• First-place NeurIPS 2024 Erasing the Invisible solution, outperforming runners-up by 26% and 31.7% on beige-box and black-box tracks with 95.7% overall watermark removal

🛡️ Threat Analysis

Details

Similar Papers