現今數位化時代盛行，在社交媒體上傳照片或是分享繪畫創作相當常見。然而，這種廣泛的影像散播也伴隨著數位影像的盜用和不當使用。為了應對這些挑戰，許多機構和個人都開始使用浮水印技術保護他們的數位影像資產，旨在識別該影像的來源、權利或其他相關訊息。隨著機器學習的快速發展，許多浮水印利用機器學習技術實現具更佳強健性或保真度的演算法。然而，基於機器學習的影像浮水印方法同樣面臨著諸多挑戰，如高昂的訓練成本以及對原始影像大小的限制等問題。而重新審視浮水印應用的情境，本質上就是將輸入區分為「具有特定浮水印的影像」或「不具有特定浮水印的影像」。對於任意可能的受偵測影像而言，「具有特定浮水印的影像數量」相對於「不具有特定浮水印的影像數量」非常有限，兩者的資料數量差距相當懸殊，因此浮水印的偵測也可以視為對於任意輸入影像的一元分類。
近年來，在對抗式機器學習領域的迴避攻擊展現出與浮水印相似的特性，即機器學習分類器遭受干擾攻擊而導致分類錯誤的問題，這樣的議題恰巧與浮水印領域所關注的問題有所關聯：即同樣試圖在影像上加入一些訊號以影響分類器和偵測器的結果。因此，本研究認為在這兩者的相似性中有值得探索的地方，並且設計出一種利用對抗式機器學習技術的浮水印方法。
本論文之目的在於建立基於深度學習的一元分類器的浮水印嵌入與偵測機制，使用深度神經網路建立一元分類器，將輸入影像區分為具有浮水印與不具浮水印。同時，我們建構了全卷積的結構以解決輸入大小受限的問題。而製作影像浮水印的方法採用對抗例的演算法，使任意影像由不具浮水印轉變為具有浮水印，賦予對抗干擾的資訊轉化成為浮水印的任務。

In today’s digital era, it is prevalent to upload photo or share artistic creation on social media. But such widespread of images comes with issues of theft and illegal usage. In order to address these challenges, many individuals use watermarking scheme to protect their digital image asset by recognizing the resources, rights and other information from the images. With the rapid advancement of machine learning, watermarking scheme utilize machine learning algorithms to improve robustness or fidelity. However, watermarking scheme based on machine learning face challenges including high training costs or the restriction to original image size. Reconsidering the application of watermark, it is fundamentally involving categorizing the input images into “specific watermarked” and “specific unwatermarked.” For any detectable image, the quantity of “image with specific watermark” is extremely limited comparing with the quantity “image without specific watermark.” Thus, the watermark detection can be treated as One-Class Classification for any input image because of the quantity gap.
Recently, in the adversarial machine learning field, the evasion attack shows similar property with watermark. That is the machine learning classifier being under interference attack and misclassifying the inputs. This is related with what watermark focus on, which means they both attempt to influence the classifier and detector by inserting signals into the image. This research believes the similarity between these two is worth exploring. Furthermore, we design a watermark scheme utilizing adversarial machine learning techniques.
 Our goal is to establish the watermark embedding and detection scheme based on deep learning One-Class Classification. We classify the input image into “watermarked” and “unwatermarked” by One-Class classifier built on neural networks. Also, we use full-convolutional neural networks structure to meet varying input size. And we embed the watermark by adversarial examples algorithm, making any image classified as “watermarked” from “unwatermarked.” Let the adversarial distortion information itself transform into watermark.

目錄
第一章	緒論	1
1.1	研究背景與動機	1
1.2	研究目的	2
1.3	論文架構	3
第二章	背景技術與相關研究	5
2.1	浮水印演算法	5
2.2	卷積神經網路	11
2.3	一元分類	17
2.4	對抗式機器學習	21
2.5	綜合研究	24
第三章	系統架構	26
3.1	建置概述	26
3.2	偵測器	29
3.3	註冊器	36
第四章	方法實作與實驗結果	40
4.1	實驗環境	40
4.2	偵測器實驗	43
4.2.1	建置偵測器	43
4.2.2	相異尺寸實驗	52
4.2.3	交叉測試	60
4.3	註冊器實驗	65
4.3.1	影像品質評估	65
4.3.2	強健性分析	70
4.3.3	逼近法與遠離法	73
4.3.4	轉移攻擊	76
4.4	雙浮水印偵測器實驗	81
第五章	結論	94
參考文獻		96
附錄1		100
附錄2		107
附錄3  英文論文	110
 
圖目錄
圖 2.1 1浮水印運作流程圖	6
圖 2.1 2浮水印演算法基於不同特性的分類	11
圖 2.2 1卷積運算示意圖	13
圖 2.2 2 ReLU激勵函數	14
圖 2.2 3兩層3×3的卷積與單層5×5卷積的影像取樣示意圖	16
圖 2.2 4VGG16架構影像示意圖	17
圖 2.3 1傳統多元分類模型無法判斷異常的能力的示意圖	18
圖 2.3 2OC-CNN模型結構示意圖	20
圖 2.4 1FGSM演算法示範	23
圖 3.1 1本論文提出之浮水印方法的建構三階段	28
圖 3.1 2對抗例與浮水印機制概念對應示意圖	29
圖 3.2 1偵測器的功能示意圖	30
圖 3.2 2本研究提出之OC-FCNN架構	32
圖 3.2 3偵測器訓練流程圖	34
圖 3.3 1註冊器的流程圖	36
圖 4.1 1實驗使用的影像資料集	43
圖 4.2 1作為浮水印影像的四張影像	44
圖 4.2 2學習率為"10-4" 時四種浮水印的PE測試折線圖	47
圖 4.2 3學習率為"10-4" 時訓練發生損失值瞬間升高的現象	47
圖 4.2 4學習率為10-5時四種浮水印的PE測試折線圖	48
圖 4.2 5tkuLogoRed浮水印偵測器對影像處理的強健性	51
圖 4.2 6縮放後的原始影像的平均分數	53
圖 4.2 7不同尺寸的具浮水印影像的平均分數	54
圖 4.2 8具浮水印影像與相同尺寸原始影像的分數差值	54
圖 4.2 9修改縮放上限後的原始影像平均分數	56
圖 4.2 10修改迭代限制後的具浮水印影像的平均分數	57
圖 4.2 11修改迭代限制後的分數差值	57
圖 4.2 12六張原始影像與其在不同尺寸下的分數	58
圖 4.2 13在不同尺寸比例下具浮水印影像示例	59
圖 4.2 14 tkuLogoRed十組偵測器對影像處理的強健性	64
圖 4.3 1在不同註冊器超參數下的PSNR平均值	67
圖 4.3 2在不同註冊器超參數下的SSIM平均值	67
圖 4.3 3訓練次數為130 epoch的偵測器PSNR平均值	68
圖 4.3 4訓練次數為130 epoch的偵測器SSIM平均值	68
圖 4.3 5以mandrill嵌入tkuLogoRed浮水印的實例展示	69
圖 4.3 6以man嵌入tkuLogoRed浮水印的實例展示	69
圖 4.3 7以TamKang嵌入tkuLogoRed浮水印的實例展示	70
圖 4.3 8不同註冊器超參數在十種影像處理的強健性	72
圖 4.3 9以mandrill作為浮水印時遠離法與逼近法在jpeg壓縮上強健性的比較	74
圖 4.3 10 tkuLogoRed上遠離法對影像處理的強健性	75
圖 4.3 11四種浮水印的轉移攻擊結果折線圖	77
圖 4.3 12目標偵測器相異訓練次數下目標偵測器誤判的情況	80
圖 4.3 13測試偵測器相異訓練次數下目標偵測器誤判的情況	80
圖 4.4 1修改以適應多浮水印形式的OC-FCNN結構圖	81
圖 4.4 2 CSIE_LOGO的浮水印影像	84
圖 4.4 3四種組合浮水印的遠離法PE測試折線圖	84
圖 4.4 4四種組合浮水印的逼近法PE測試折線圖	85
圖 4.4 5 5411與tkuLogoRed組合在不同尺寸的分數	88
圖 4.4 6 tkuLogoRed與CSIE_LOGO組合在不同尺寸的分數	89
圖 4.4 7 pepper與tkuLogoRed組合在不同尺寸的分數	89
圖 4.4 8 pepper與mandrill組合在不同尺寸的分數	90
圖 4.4 9 tkuLogoRed與CSIE_LOGO組合的影像品質	91
圖 4.4 10 pepper與mandrill組合的影像品質	91
圖 4.4 11 pepper與tkuLogoRed組合的影像品質	92
圖 4.4 12 5411與tkuLogoRed組合的影像品質	92
 
表目錄
表 4.1 1實驗硬體型號	40
表 4.1 2實驗軟體或套件版本	41
表 4.2 1十種考慮的影像處理	49
表 4.2 2浮水印為mandrill的十組偵測器交叉測試	61
表 4.2 3浮水印為pepper的十組偵測器交叉測試	61
表 4.2 4浮水印為tkuLogoRed的十組偵測器交叉測試	61
表 4.2 5浮水印為5411的十組偵測器交叉測試	61
表 4.3 1 tkuLogoRed浮水印影像嵌入5411後輸入tkuLogoRed偵測器的分數	78

參考文獻
[1]	X. Zhong, P.-C. Huang, S. Mastorakis, and F. Y. Shih, "An automated and robust image watermarking scheme based on deep neural networks," IEEE Transactions on Multimedia, vol. 23, pp. 1951-1961, 2020.
[2]	S.-M. Mun, S.-H. Nam, H.-U. Jang, D. Kim, and H.-K. Lee, "A robust blind watermarking using convolutional neural network," arXiv preprint arXiv:1704.03248, 2017.
[3]	P. Amrit and A. K. Singh, "Survey on watermarking methods in the artificial intelligence domain and beyond," Computer Communications, vol. 188, pp. 52-65, 2022.
[4]	V. L. Cu, T. Nguyen, J.-C. Burie, and J.-M. Ogier, "A robust watermarking approach for security issue of binary documents using fully convolutional networks," International Journal on Document Analysis and Recognition (IJDAR), vol. 23, pp. 219-239, 2020.
[5]	H. Kandi, D. Mishra, and S. R. S. Gorthi, "Exploring the learning capabilities of convolutional neural networks for robust image watermarking," Computers & Security, vol. 65, pp. 247-268, 2017.
[6]	M. Ghazvini, E. M. Hachrood, and M. Mirzadi, "An improved image watermarking method in frequency domain," Journal of Applied Security Research, vol. 12, no. 2, pp. 260-275, 2017.
[7]	I. Cox, M. Miller, J. Bloom, J. Fridrich, and T. Kalker, Digital watermarking and steganography. Morgan kaufmann, 2007.
[8]	P. Fernandez, A. Sablayrolles, T. Furon, H. Jégou, and M. Douze, "Watermarking images in self-supervised latent spaces," in ICASSP 2022-2022 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2022, pp. 3054-3058: IEEE.
[9]	V. Vukotić, V. Chappelier, and T. Furon, "Are deep neural networks good for blind image watermarking?," in 2018 IEEE International Workshop on Information Forensics and Security (WIFS), 2018, pp. 1-7: IEEE.
[10]	D. K. Mahto and A. K. Singh, "A survey of color image watermarking: State-of-the-art and research directions," Computers & Electrical Engineering, vol. 93, p. 107255, 2021.
[11]	N. S. Kamaruddin, A. Kamsin, L. Y. Por, and H. Rahman, "A review of text watermarking: theory, methods, and applications," IEEE Access, vol. 6, pp. 8011-8028, 2018.
[12]	Z. Wang, A. C. Bovik, H. R. Sheikh, and E. P. Simoncelli, "Image quality assessment: from error visibility to structural similarity," IEEE transactions on image processing, vol. 13, no. 4, pp. 600-612, 2004.
[13]	T. Furon, "A constructive and unifying framework for zero-bit watermarking," IEEE Transactions on Information Forensics and Security, vol. 2, no. 2, pp. 149-163, 2007.
[14]	I. Goodfellow, Y. Bengio, and A. Courville, Deep learning. MIT press, 2016.
[15]	F. Chollet, Deep learning with Python. Simon and Schuster, 2021.
[16]	M. Lin, Q. Chen, and S. J. a. p. a. Yan, "Network in network," 2013.
[17]	A. Krizhevsky, I. Sutskever, and G. E. J. A. i. n. i. p. s. Hinton, "Imagenet classification with deep convolutional neural networks," vol. 25, 2012.
[18]	K. He, X. Zhang, S. Ren, and J. Sun, "Deep residual learning for image recognition," in Proceedings of the IEEE conference on computer vision and pattern recognition, 2016, pp. 770-778.
[19]	K. Simonyan and A. J. a. p. a. Zisserman, "Very deep convolutional networks for large-scale image recognition," 2014.
[20]	ImageNet. (2014, Nov. 22). Large Scale Visual Recognition Challenge 2014 (ILSVRC2014). Available: https://image-net.org/challenges/LSVRC/2014/results
[21]	P. Perera, P. Oza, and V. M. J. a. p. a. Patel, "One-class classification: A survey," 2021.
[22]	L. Ruff et al., "Deep One-Class Classification," presented at the Proceedings of the 35th International Conference on Machine Learning, Proceedings of Machine Learning Research, 2018. Available: https://proceedings.mlr.press/v80/ruff18a.html
[23]	P. Oza and V. M. Patel, "One-class convolutional neural network," IEEE Signal Processing Letters, vol. 26, no. 2, pp. 277-281, 2018.
[24]	D. P. Kingma and J. J. a. p. a. Ba, "Adam: A method for stochastic optimization," 2014.
[25]	A. D. Joseph, B. Nelson, B. I. P. Rubinstein, and J. D. Tygar, Adversarial Machine Learning. Cambridge University Press, 2019.
[26]	E. Tabassi, K. J. Burns, M. Hadjimichael, A. D. Molina-Markham, and J. T. Sexton, "A taxonomy and terminology of adversarial machine learning," NIST IR, pp. 1-29, 2019.
[27]	A. Vassilev, "Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations," National Institute of Standards and Technology, Gaithersburg, MDNIST AI NIST AI 100-2e2023 ipd, 2023.
[28]	N. Akhtar and A. Mian, "Threat of adversarial attacks on deep learning in computer vision: A survey," IEEE Access, vol. 6, pp. 14410-14430, 2018.
[29]	N. Akhtar, A. Mian, N. Kardan, and M. Shah, "Advances in adversarial attacks and defenses in computer vision: A survey," IEEE Access, vol. 9, pp. 155161-155196, 2021.
[30]	J. Deng, W. Dong, R. Socher, L.-J. Li, K. Li, and L. Fei-Fei, "Imagenet: A large-scale hierarchical image database," in 2009 IEEE conference on computer vision and pattern recognition, 2009, pp. 248-255: Ieee.
[31]	I. J. Goodfellow, J. Shlens, and C. Szegedy, "Explaining and harnessing adversarial examples," arXiv preprint arXiv:1412.6572, 2014.
[32]	A. Kurakin, I. J. Goodfellow, and S. Bengio, "Adversarial examples in the physical world," in Artificial intelligence safety and security: Chapman and Hall/CRC, 2018, pp. 99-112.
[33]	E. Quiring, D. Arp, and K. Rieck, "Forgotten siblings: Unifying attacks on machine learning and digital watermarking," in 2018 IEEE European symposium on security and privacy (EuroS&P), 2018, pp. 488-502: IEEE.
[34]	X. Jia, X. Wei, X. Cao, and X. Han, "Adv-watermark: A novel watermark perturbation for adversarial examples," in Proceedings of the 28th ACM International Conference on Multimedia, 2020, pp. 1579-1587.
[35]	小関義博, "1クラス分類器に対する敵対的サンプルの有効性について," 人工知能学会全国大会論文集, vol. JSAI2020, pp. 4J3GS201-4J3GS201, 2020.
[36]	S.-Y. Lo, P. Oza, and V. M. Patel, "Adversarially Robust One-class Novelty Detection," IEEE Transactions on Pattern Analysis and Machine Intelligence, 2022.
[37]	J. Long, E. Shelhamer, and T. Darrell, "Fully convolutional networks for semantic segmentation," in Proceedings of the IEEE conference on computer vision and pattern recognition, 2015, pp. 3431-3440.
[38]	U. Ruby and V. Yendapalli, "Binary cross entropy with deep learning technique for image classification," Int. J. Adv. Trends Comput. Sci. Eng, vol. 9, no. 10, 2020.
[39]	S. Qian, C. Ning, and Y. Hu, "MobileNetV3 for image classification," in 2021 IEEE 2nd International Conference on Big Data, Artificial Intelligence and Internet of Things Engineering (ICBAIE), 2021, pp. 490-497: IEEE.
[40]	C. Tang, Q. Zhu, W. Wu, W. Huang, C. Hong, and X. Niu, "PLANET: Improved Convolutional Neural Networks with Image Enhancement for Image Classification," Mathematical Problems in Engineering, vol. 2020, p. 1245924, 2020/03/11 2020.
[41]	C. Szegedy, V. Vanhoucke, S. Ioffe, J. Shlens, and Z. Wojna, "Rethinking the inception architecture for computer vision," in Proceedings of the IEEE conference on computer vision and pattern recognition, 2016, pp. 2818-2826.
[42]	S. Ruder, "An overview of gradient descent optimization algorithms," arXiv preprint arXiv:1609.04747, 2016.
[43]	M. Abadi et al., "TensorFlow: a system for Large-Scale machine learning," in 12th USENIX symposium on operating systems design and implementation (OSDI 16), 2016, pp. 265-283.
[44]	A. G. W. USC-SIPI. The USC-SIPI Image Database: Version 6 [Online]. Available: https://sipi.usc.edu/database/
[45]	S.-M. Moosavi-Dezfooli, A. Fawzi, O. Fawzi, and P. Frossard, "Universal adversarial perturbations," in Proceedings of the IEEE conference on computer vision and pattern recognition, 2017, pp. 1765-1773.