ML Security PapersRecoverMark: Robust Watermarking for Localization and Recovery of Manipulated Faces
Haonan An 1, Xiaohui Ye 2, Guang Hua 3, Yihang Tao 3, Hangcheng Cao 1, Xiangyu Yu 3, Yuguang Fang 3
Published on arXiv
2602.20618
Output Integrity Attack
OWASP ML Top 10 — ML09
Key Finding
RecoverMark achieves robust manipulation localization and face content recovery against both seen attacks (JPEG, Gaussian noise) and unseen attacks (regeneration attacks), generalizing to in-distribution and out-of-distribution data where prior dual-watermark methods (EditGuard, OmniGuard, Imuge+) fail under watermark removal.
RecoverMark
Novel technique introduced
The proliferation of AI-generated content has facilitated sophisticated face manipulation, severely undermining visual integrity and posing unprecedented challenges to intellectual property. In response, a common proactive defense leverages fragile watermarks to detect, localize, or even recover manipulated regions. However, these methods always assume an adversary unaware of the embedded watermark, overlooking their inherent vulnerability to watermark removal attacks. Furthermore, this fragility is exacerbated in the commonly used dual-watermark strategy that adds a robust watermark for image ownership verification, where mutual interference and limited embedding capacity reduce the fragile watermark's effectiveness. To address the gap, we propose RecoverMark, a watermarking framework that achieves robust manipulation localization, content recovery, and ownership verification simultaneously. Our key insight is twofold. First, we exploit a critical real-world constraint: an adversary must preserve the background's semantic consistency to avoid visual detection, even if they apply global, imperceptible watermark removal attacks. Second, using the image's own content (face, in this paper) as the watermark enhances extraction robustness. Based on these insights, RecoverMark treats the protected face content itself as the watermark and embeds it into the surrounding background. By designing a robust two-stage training paradigm with carefully crafted distortion layers that simulate comprehensive potential attacks and a progressive training strategy, RecoverMark achieves a robust watermark embedding in no fragile manner for image manipulation localization, recovery, and image IP protection simultaneously. Extensive experiments demonstrate the proposed RecoverMark's robustness against both seen and unseen attacks and its generalizability to in-distribution and out-of-distribution data.
Key Contributions
- Uses the protected face content itself as the watermark, embedded into the surrounding background, exploiting the adversary's constraint to preserve background semantic consistency even under global watermark removal attacks.
- Two-stage robust training paradigm with carefully crafted distortion layers (JPEG compression, Gaussian noise, patch removal, regeneration attacks) and a progressive training strategy — achieving robustness in a non-fragile manner.
- Simultaneous manipulation localization, face content recovery, and image IP ownership verification within a single unified framework, without relying on dual fragile/robust watermark co-embedding.
🛡️ Threat Analysis
RecoverMark is a content watermarking scheme embedded in image backgrounds to authenticate image integrity, localize manipulation, recover original face content, and verify image ownership. It directly defends against watermark removal attacks (low-pass filtering, regeneration attacks) that undermine proactive face manipulation detection — this is output integrity protection for AI-manipulated image content, not model-weight watermarking.