IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO.

1, FEBRUARY 2012

185

Performance Analysis of a Block-NeighborhoodBased Self-Recovery Fragile Watermarking Scheme

Hongjie He, Fan Chen, Heng-Ming Tai, Senior Member, IEEE, Ton Kalker, and Jiashu Zhang
AbstractIn this paper, we present the performance analysis of a self-recovery fragile watermarking scheme using block-neighborhood tamper characterization. This method uses a pseudorandom sequence to generate the nonlinear block-mapping and employs an optimized neighborhood characterization method to detect the tampering. Performance of the proposed method and its resistance to malicious attacks are analyzed. We also investigate three optimization strategies that will further improve the quality of tamper localization and recovery. Simulation results demonstrate that the proposed method allows image recovery with an acceptable visual dB up to 60% quality peak signal-to-noise ratio (PSNR) tampering. Index TermsBlock-neighborhood, fragile watermarking, image authentication, self-recovery, tamper detection.

I. INTRODUCTION

ECENTLY, several fragile watermarking schemes have been proposed for image authentication and integrity verication [1][8]. These schemes embed in an image an invisible watermark which is 1) difcult to counterfeit without authorization, and 2) allows for authorized detection of tampering, preferably with localization information. To localize tampering, an image is typically partitioned into blocks, and each block is embedded with its own watermark based on a secret key and block location [1][8]. However, these schemes are vulnerable to counterfeiting attacks [9], [10], and cannot discriminate between watermark tampering and image content tampering [11]. To reconstruct tampered regions, several self-recovery watermarking schemes have been proposed [12][24]. These schemes improve on localized tamper detection schemes [1][8] by embedding image block features as a watermark payload of a different image block (or blocks). This strategy introduces a blockwise dependency and ensures that self-recovery watermarking

Manuscript received February 04, 2011; revised July 12, 2011; accepted July 14, 2011. Date of publication July 25, 2011; date of current version January 13, 2012. This work was supported in part by the National Natural Science Foundation of China (Grant 60970122), in part by the Research Fund for the Doctoral Program of Higher Education (Grant 20090184120021), and in part by the Fundamental Research Funds for the Central Universities (Grant SWJTU09CX039, Grant SWJTU10CX09). The associate editor coordinating the review of this manuscript and approving it for publication was Prof. C.-C. Jay Kuo. H. He, F. Chen, and J. Zhang are with the Sichuan Key Laboratory of Signal and Information Processing, Southwest Jiaotong University, Chengdu 610031, China. H.-M. Tai is with the Department of Electrical Engineering, University of Tulsa, Tulsa, OK 74104 USA. T. Kalker is with the Hewlett-Packard Laboratories, Multimedia Communications and Networking Laboratory, Palo Alto, CA 94304 USA. Color versions of one or more of the gures in this paper are available online at http://ieeexplore.ieee.org. Digital Object Identier 10.1109/TIFS.2011.2162950

schemes are not vulnerable to a vector quantization (VQ) counterfeiting attack [9] or a collage attack [10]. However, these schemes suffer from a number of other problems. 1) Undetectable modications Due to the limitation on the watermark embedding capacity, the features of an image block generally consist of quantized transformation coefcients, e.g., important quantized higher order DCT coefcients [12][16] or average intensity [17][21]. Attacks that do not alter these features fail to be detected [12], for example, the constant-average attack on Lins average-intensity-based watermarking scheme [18] proposed by Chang et al. [25]. 2) Insecure block-mappings In the self-recovery watermark scheme, a block-mapping is required for watermark embedding in advance: the features of block are embedded as the payload of watermark for block . Numerous block-mappings exist, but commonly they are constructed as linear transforms: xed offset [13], 2-D transformation [17], [19], and 1-D linear transformation [18], [20]. However, because the limited number of degrees of freedom, linear transforms are easily recovered from only a few sample images, and are weak from a security point of view [25], [26]. To address this issue, He et al. [15] have proposed a nonlinear block-mapping construction using pseudorandom sequences. 3) Localization failure Since self-recovery watermarking schemes generally insert features of one image block into another block, the resulting block-wise dependency makes it difcult to detect and localize tampering. For example, suppose that the features of block are embedded in block and that the features of block are embedded in block . If block is tampered with there will be two miss-matches: block will not match block because the computed features of block do not match the retrieved features from block , and block will not match block because the computed and distorted features of block do not match the retrieved features of block . Therefore, a mismatch between computed and retrieved features is not necessarily proof of tampering. To address this problem, Lin et al. [18] proposed that the validity of an image block was determined by additional authentication data in a block. Specically, the payload of watermark consists of authentication data as well as recovery data. The authentication data for a block is embedded in the block itself, whereas the recovery data is embedded in a different block. This method of tamper detection has been adopted in a number of similar approaches [16], [19], [20], [23] and [24].

1556-6013/$26.00 2011 IEEE

186

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012

4) Quality of a recovery If large portions of an image are tampered, then the quality of the recovered image is generally poor [13]. To improve the recovery quality, Lee and Lin [20] proposed a dual-watermarking method. This scheme maintains two watermark copies of the whole image and provides a second chance for block recovery in case one copy is destroyed. But Lees method is vulnerable to the collage attack and the constantaverage attack. Recently, Zhang and Wang [22] proposed a fragile watermarking scheme with error-free restoration capability, in which the recovery data (reference-bits) contain redundancy. For tampering covering less than 3.2% of the host image, the original image information can be restored without any error. To overcome the insecure problems mentioned above, the authors have proposed a self-recovery fragile watermarking using block-neighborhood tampering characterization [21]: 1) The block-mapping was generated using a pseudorandom sequence. 2) The validity of an image block was determined by comparing the number of inconsistent blocks in a 3 3 neighborhood of the test block with that of its mapping block. 3) The 3 3 block-neighborhood was used to restore tampered blocks. However, this method is still vulnerable to a improved constant-average attack. To overcome this weakness, we propose to add two secure key bits to each block. Performance of the proposed tamper detection scheme is analyzed and three optimization strategies are investigated. Experimental results conrm that with high probability the proposed scheme is able to identify tampering for up to 80% tampering. Results also show that recovery is possible with high probability and acceptable visual quality peak signal-to-noise ratio (PSNR) dB for up to 60% tampering. The remainder of this paper is organized as follows. In Section II the block-neighborhood-based watermarking scheme is described. Section III presents an analytical analysis of tamper detection performance and threshold-selection. Experimental results are given in Section IV and conclusions are given in Section V. II. BLOCK-NEIGHBORHOOD-BASED FRAGILE WATERMARKING ALGORITHM The proposed block-neighborhood-based fragile watermarking algorithm is described in four phases: watermark embedding, watermark extraction, tamper detection, and recovery. A. Watermark Embedding In the proposed scheme, secret keys are used to provide security against various known malicious attacks such as constant-average attack (CAA), collage attack (CA), and four-scanning attack [25]. The embedding process consists of ve operations. Step 1) Partitioning. The original image is partitioned into blocks of size 2 2. Each block is decomposed as ,

where and correspond to the six most signicant bit (MSB) planes and the two least signicant bit (LSB) planes, respectively (we assume 8-bit pixel values). Step 2) Block-mapping. A block mapping is computed from a key-based pseudorandom permutation of the integer interval . Step 3) Feature computation. The six recovery bits for a block are computed as (1) where The two key bits is the average intensity of . for a block are computed as (2) where is binary code of all pixels in block , is key-generated random bit pattern of size 24 2, different for each block , and the -operator denotes the matrix multiplication. This implies that for any change of , each key bit is ipped with probability 1/2 [22]. The recovery and key bits for a block are concatenated in a bit vector of length 8 (called features), that is (3) Step 4) Watermark payload. The feature is encrypted with a secret key to construct an 8-bit watermark vector . Step 5) Watermark insertion. Setting , the block is watermarked by substituting the (appropriately formatted) watermark payload for . B. Watermark Extraction Suppose represents the tested image, which can be a distorted watermarked image or unaltered one. The proposed watermark extraction procedure includes the following steps. Step 1) Partitioning. As in the watermark embedding process, the test image is divided into nonoverlapping 2 2 blocks and a block mapping is computed by secret key. Step 2) Feature computation and extraction. For each block , the computed features are obtained by from (3). The extracted features are obtained by decrypting . Step 3) Feature matching. The feature-match mark is calculated by comparing the computed features of block with the corresponding retrieved features from its mapping block if otherwise. (4)

The block is unmatched if . To resist the constant-average attack, a partial match mark is required if otherwise (5)

HE et al.: PERFORMANCE ANALYSIS OF A BLOCK-NEIGHBORHOOD-BASED SELF-RECOVERY SCHEME

187

where [6] and [2] are the six recovery bits and two key bits in the features of length 8, respectively. If , the corresponding block must not be mounted by the constant-feature attack; otherwise, it is likely attacked. C. Tamper Detection This section describes the proposed neighborhood-based tamper detection method. For each block , we determine a Boolean , where signies a valid block, and signies an invalid block. is referred to as a Tamper Detection Mark (TDM) and is computed in ve steps, as shown in Fig. 1. For future use, we dene as the number of nonzero pixels that are adjacent to the element in a 2-D matrix [21]. We refer to as the neighborhood characterization of element in a 2-D matrix . Step 1) Basic Tamper Detection (BTD). This step is designed to distinguish the invalid blocks from the unmatched blocks by comparing neighborhood tampering characterization [21]. The initial TDM is computed as if otherwise (6)
Fig. 1. Neighborhood-based tamper detection scheme.

changed. This step intends to improve the detection rate for the blocks tampered by CAA. According to the partial match mark obtained by (5) and its neighborhood characterization, the CAA TDM is if otherwise (9)

is a predened threshold, and is the where neighborhood characterization of the pixel in the partial match mark obtained by (5). Step 5) OR Operation. TDM is used to exactly identify the altered blocks. Combining the boundary TDM with the CAA TDM yields the TDM where if OR otherwise. (10)

where , and the is the neighborhood characterization of the pixel in the feature-match mark as dened in (4). Step 2) Collage-Attack Optimization. We improve robustness against the collage-attack by updating those false decision block. To this end, we dene the collage-attack TDM as if if otherwise is a predened threshold, and is the where neighborhood characterization of the pixel in the initial TDM . This step improves the tamper detection performance under the collage attack. Step 3) Boundary Optimization. To enhance tamper detection performance for blocks on the boundaries of the tampered areas, the boundary TDM is computed by combining the collageattack TDM , the initial TDM , and the feature-match mark if if otherwise is the neighborhood characterization of where the pixel in the collage-attack TDM . Step 4) Constant-average Attack (CAA) Optimization. If the host image is mounted by CAA, the probability of detecting the attacked blocks would be decreased due to the fact that the six recovery bits must not be (8) (7)

D. Recovery After tamper detection, all blocks in the test image are marked as either valid or invalid. The invalid blocks can be classied into two categories: feature-reserved and feature-destroyed invalid blocks. The former denotes the tampered blocks whose mapping block is valid, and the latter those tampered blocks whose mapping block is also tampered. The proposed recovery procedure is only for the invalid blocks. It consists of two steps. First, all feature-reserved invalid blocks in the test image are recovered using the extracted features from its mapping block, and then the feature-destroyed invalid blocks are recovered by the average intensity of the neighboring valid pixels. Details of the recovery procedure are described in [21]. III. PERFORMANCE ANALYSIS To investigate the performance of tamper detection algorithms, we introduce the probability of false rejection (PFR), the probability of false acceptance (PFA), and the probability of false detection (PFD) as the quantitative performance measures [11]. They are dened, respectively, as (11) (12) (13) where denotes the number of image blocks, the number of actually tampered blocks, the number of tampered blocks which are correctly detected, the number of authentic blocks which are falsely detected. Note that the block is authentic if the contents of all pixels in it are not changed.

188

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012

(18) denotes the number of nonzero pixels that are adjacent Since to the pixel in a binary image , the value of is an integer in the interval [0, 8]. Then we obtain the probability

Fig. 2. Four sets of image blocks and its 3

3 neighborhood characterization.

A. Analytical Expressions To derive the analytical expressions of the detection probabilities, we rst partition all blocks in the host image into four mutually exclusive regions [15], as depicted in Fig. 2. These four sets of regions are : the tampered blocks located on the boundary of the tampered regions; : the tampered blocks located in the tampered regions; : the authentic blocks adjacent to the tampered blocks; : the authentic blocks not adjacent to the tampered blocks. Let denote the ratio of the block to all the image blocks in the image, where . One can conclude that (14) In the initial TDM , if , the corresponding block is considered as invalid by the proposed BTD; otherwise, the block is valid. It follows from (6) that we can dene the conditional PFA and the conditional PFR of the BTD as follows:

(19) Again as seen from Fig. 2, all of the eight neighboring blocks are tampered if , while all of the eight of block neighboring blocks are authentic if . On the other hand, the eight neighboring blocks of block contain both authentic blocks and tampered blocks if or . According to the binomial distribution theory, we have

(20)

(15)

(16) where represents the probability of , and the symbols and denote the probability and for an image block , respectively. Since the block-mapping sequence is generated randomly, the mapped block can come from any block in the image with equal probability. It follows from (4) and total probability that the and can be deduced

and are the probabilities of under the where occurrence of block and , respectively. The values of can be obtained by substituting (20) and (19) into (18) with the values of and . If the image block is authentic, then the computed features by are unchanged, so are the extracted features by . On the other hand, if the block is tampered, the computed features by and the retrieved features by are likely to be altered. Let and denote the computed features of the tampered and the authentic block, and and denote the retrieved features of the tampered and authentic block, respectively. According to (17), we have

(21)

(17)

(22)

HE et al.: PERFORMANCE ANALYSIS OF A BLOCK-NEIGHBORHOOD-BASED SELF-RECOVERY SCHEME

189

Let have

be the tamper ratio, that is

. Hence we (23)

It follows from (15) that the conditional PFA with modications only on image contents can be expressed as

and for is

(29) . It follows from (16) that, for , the conditional PFR under content-only tampering (30) 3) Constant-Average Attack (CAA): When the watermarked image is modied by the constant-average attack, the six recovery bits are constant but the two key bits are randomly changed, and the extracted feature-bits from the LSB planes are not changed (i.e., ). Therefore, the probability is

(24) , Note that the values of depend on how the blocks pered. B. PFA and PFR Under Tampering In this subsection, we discuss the PFA and PFR of the proposed BTD under various tampering. Types of tampering include the general tampering, the content-only tampering, the constant-average attack, and the collage attack. 1) General Tampering (GT): If the image block is generally modied, then we consider the case that both and are randomly changed. Specically, the values of and equal to each integer in the interval with the same probability, where is the number of bits in the feature of the image block. Thus we have the probabilities , and . From (23) and (24), we compute the probabilities and . It follows from (15) and (16) that the conditional PFA and PFR of the proposed BTD can be expressed as , and are tam-

and

(31) (32) It follows from (15) and (16) that the conditional PFA and PFR of the proposed BTD are

(33) and for (34)

(25) for and

(26) for . Note that the value of is computed by substituting (20) and (19) into (18) with the values of and . 2) Content-Only Tampering (CT): For the content-only tampering, the image content is modied, while the two LSB planes are intact. And the computed features by the content is randomly changed, but the extracted feature from the LSB planes is unchanged (i.e., ). Hence, we have

(27) (28)

When the host image is modied by CAA, from (33) and (34), the conditional PFR is zero but the conditional PFA is at least 0.25. This deciency can be effectively improved by the CAA optimization step as described in the proposed tamper detection method. 4) Collage Attack (CA): The collage attack [10] is a variation of the VQ counterfeiting attack [9]. The VQ counterfeiting attack and the collage attack together create a forged image by combining authentic portions from multiple authenticated images. The collage attack differs from the VQ attack in that the collage attack must preserve the relative spatial location of the collage blocks within the image. If the location of an authentic block is changed, the computed features do not match the retrieved features due to the fact that its mapping block obtained by the block-mapping is different. As a result, the performance of tamper detection of the proposed BTD under the VQ attack is similar to that in the general tampering. On the other hand, if a forged image is created by combining authentic portions from multiple authenticated images while preserving their relative spatial locations within the image, it is possible that both blocks and corresponding mapping blocks exist in the collaged regions. Under this circumstance, the collaged blocks must be consistent and the performance of tamper detection will be impaired. The PFA and PFR of the proposed BTD under the collage attack will be deduced in the following.

190

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012

For simplicity, a forged image is created by a collage of authentic blocks from two watermarked images. Let be a watermarked image, whose size and secret key are the same as those of the watermarked image . The collaged image is obtained by copying the certain region of image and pasting it onto the watermarked image while preserving their relative spatial location within the image. In this case, and , where and denote the computed and extracted features of the th block in the watermarked image , respectively. Suppose the content of two images and are independent of each other. From (23) and (24), we obtain

(35)

(36) From (15) and (16), the conditional PFA and PFR as the host image undergoes the collage attack are

(37) For and

(38) for .
Fig. 3. Performance of the BTD in collage attack. (a) PFA and (b) PFR.

C. Optimization Strategies This section discusses the functions of optimization strategies and the selection of predened thresholds. 1) Collage-Attack Optimization: From (37) and (38), the probabilities under CA ( , , and ) of the proposed BTD versus the tamper ratio are plotted in Fig. 3(a) and (b), respectively. Experiments were conducted to verify the deduction analysis results using the 512 512 Lena and Barbara watermarked images with the same secret key. The collaged image is obtained by copying the region of watermarked Barbara and pasting it onto the watermarked Lena while preserving their relative spatial location within image. Experimental results of these probabilities of the proposed BTD are also illustrated in Fig. 3(a) and (b), respectively. Fig. 3 shows that the theoretical curves and corresponding experimental ones are in close agreement, which veries the validity of the above theoretical deduction. The and of the proposed BTD are close to zero as the collaged region is less than 20% of the host image. However, the and of the proposed BTD increase linearly with the increase of the tamper ratio. This is mainly due to the fact that the attacked blocks whose mapping block falls into the collaged region will not be detected. To mend this drawback, the collage-attack optimization step is proposed. Its main idea is to update those false decision blocks

according to the block-neighborhood tampering characterization of the initial TDM . For a correct behavior of watermark detection, it is important to properly choose the threshold in (7). A possibility consists in choosing in such a way that the PFD dened in (13) is minimized. Fig. 4 plots the experimental PFD of the collage-attack TDM with and , respectively. For comparison, the PFD of the initial TDM is also shown in Fig. 4. As can be seen from Fig. 4, the PFD values of or are close to zero if the collaged region is smaller than 20% of the host image. The PFD of is smallest at the various tamper ratios from 20% to 50%. Thus this work selects the predened threshold . 2) Boundary Optimization: According to (25) and (26), theoretical , , and of the proposed BTD are shown in Fig. 5(a) and (b), respectively. To verify the deduction analysis results, the 512 512 Lena image was randomly modied with different tamper ratio. The experimental , , and of the initial TDM are displayed in Fig. 5(a) and (b), respectively. Fig. 5 shows that the experimental curves and corresponding theoretical ones are in close agreement, which verify the validity of the above theoretical deduction. As can be seen from Fig. 5, , , , and of the proposed BTD increase with the increase of the tamper ratio. But their changing speeds are

HE et al.: PERFORMANCE ANALYSIS OF A BLOCK-NEIGHBORHOOD-BASED SELF-RECOVERY SCHEME

191

Fig. 4. PFD of TDM under collage attack with different thresholds.

To demonstrate the performance of the proposed boundaryoptimization strategy, Fig. 5(a) and (b) also plots the experimental results of these probabilities of the boundary TDM . Fig. 5 shows that the boundary-optimization effectively decreases the PFA, but at the expense of . The values of are about 20% higher than those of . Fortunately, the do not have much inuence on the recovery quality and detection ratio, which will be shown in Sections IV-A and IV-D. 3) Constant-Average Attack Optimization: It follows from (33) that, when the tested image is maliciously modied by CAA, the PFA of the proposed BTD is high. To x this drawback, CAA optimization has been designed. According to (9), the probability of can be expressed as

(39) is about if According to (5), the probability of the block is attacked by CAA; otherwise it is . Thus for a given threshold, the value of can be computed by (39). Since the watermark information is not altered under CAA, the valid blocks, which are wrongly recovered, do not have much inuence on the recovery quality. In contrast, the quality of the recovered image would be severely degraded if the attacked blocks are not reconstructed. Therefore, we select the threshold to ensure the low PFA. In this case, the value of is about 99.99% and 0.47% for the attacked block and the unattacked one, respectively. That is, the PFA and PFR of the proposed scheme under the constant-average attack are about 0.01% and 0.47%. IV. SIMULATION RESULTS We conduct numerous experiments to demonstrate the effectiveness of the proposed self-recovery fragile watermarking scheme and compare with the typical self-recovery watermarking schemes on the performance of tamper detection and tamper restoration. Generally, the watermark payload ranges from 1 to 3 bpp (bit per pixel) in the self-recovery fragile watermarking. To reduce the distortion caused by watermark insertion, the watermarked image is commonly generated by substituting for the LSB planes while keeping the MSB planes of the original image intact. Suppose that the original distribution of the data in the LSB planes is uniform. The average energy of distortion caused by embedding bits watermark is (40) Then the approximate PSNR of the watermarked image with respect to the original one is (41)

Fig. 5. Tamper detection performance under general tampering. (a) PFA and (b) PFR.

different. Fig. 5(b) shows that and of our BTD are perfect (close to zero) at low and moderate tampering ratio (less than 40%). It can be seen from Fig. 5(a) that of our BTD is always smaller than 5% at various tamper ratios from 0.01% to 80%. Unfortunately, of the BTD will increase quickly with the increase of the tamper ratio. Since the undetected block has not performed the recovery operation, a high PFA will severely degrade the quality of the recovered image. Therefore, the boundary optimization step is proposed to decrease the PFA of the tampered blocks located on the boundary of tampered regions.

192

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012

The PSNR value of the watermarked image decreases with the increase of watermark payload. In the proposed scheme, the watermark payload is 2 bpp and PSNR of the watermarked image is 44.15 dB. A. General Tampering Self-recovery watermarking schemes enable the detection of tampering or replacement of a watermarked image. The distinction mainly lies in the tamper localization accuracy and the quality of recovered images. As pointed out in [19], the quality of a recovered image highly depends on the size of tampered regions. The complexity of the image content and the accuracy of tamper localization also affect the quality of the recovered image. PSNR of the recovered image with respect to the watermarked image is commonly used to measure the quality of the recovered image. Two watermarked images, a textured Barbara of size 512 512 and a smooth Rub of size 768 1024, are used to demonstrate the performance of the proposed scheme in general tampering. For each test image, the 2 2 image blocks were randomly modied with different tamper ratio, and the tampered blocks were detected and recovered. Three statistical values and PSNR are obtained. The tamper ratio of the tested image is computed by (42) Fig. 6 shows the experimental results of PFD and PSNR by the proposed scheme, Lins scheme [18], and Lees scheme [20]. Fig. 6(a) reveals that the PFD of the Lees method is the smallest. This may be owing to the fact that for the Lee method, 1) the validity of image block is only determined by the two authentication-bits inserted in the same block, and 2) the block size is 2 2 pixels. The PFD of Lins scheme is slightly larger than that of Lees scheme because the Lin scheme uses a block size of 4 4 pixels. Fig. 6(a) also shows that the PFD of the proposed scheme is kept as small as that of Lees scheme at tamper ratios from 0.1% to 50%. Even when the tamper ratio is larger than 50%, PFD of the proposed scheme increases along with the increase of the tamper ratio, but it is smaller than 5% throughout. Moreover, Fig. 6(a) shows that PFDs for the Barbara image and the Rub image by the same watermarking scheme are almost the same. This implies that the complexity of the image content does not have much impact on the performance of tamper detection. Recovery quality by the proposed and Lees schemes is better than that by Lins scheme, as seen in Fig. 6(b), because the former can reconstruct the invalid block from neighboring valid pixels even though the mapping block is destroyed. In contrast, Lins scheme is not able to recover the invalid block if the mapping block is not authentic. Further, the recovery quality of the proposed scheme is superior to that of the Lees scheme. This may be due to the fact that the PFA of the proposed scheme is smaller than that of Lees method. The PSNRs of the proposed scheme are higher than 25 dB as long as the tampered ratio is no more than 55% of the textured Barbara image or 65% for the smooth image. These results indicate that the tampered image can be recovered by the proposed scheme with an acceptable

Fig. 6. Performance comparison under general tampering. (a) PFD and (b) PSNR.

visual quality even the tamper ratio is up to 60% of the host image. B. Collage Attack The second experiment considers the effect of collage attack. In this test, two paired images, Fish and Rub, both of size 768 1024, and Lena and Barbara, both of size 512 512, were watermarked using the same key. The collaged image was constructed by copying certain regions of Rub (Barbara) and pasting it onto the Fish (Lena) image, and their relative spatial locations in the image were preserved. Fig. 7 shows the PFA/PFR and PSNR by the proposed scheme, Lins scheme [18], and Lees scheme [20] under the collage attack. As shown in Fig. 7(a), the PFA and PFR of Lins scheme increases linearly with the increase of the tamper ratio. The PFR of Lees method is zero but the PFA is 100%. This indicates that Lees scheme cannot resist the collage attack so that the recovery quality of Lees scheme is the worst because the attacked portion of the image cannot be recovered, as illustrated in Fig. 7(b). In contrast, the PFA of the proposed scheme is close to zero when the collaged area is less than 20% of the host image, and the PFR is about zero until the attacked ratio is up to 30%. Fig. 7(b) shows that the PSNRs of the proposed scheme are much higher than those of both Lins scheme and Lees scheme at various tamper ratios from 0.1% to 40%. The PSNR values of the proposed scheme are larger than 25 dB as

HE et al.: PERFORMANCE ANALYSIS OF A BLOCK-NEIGHBORHOOD-BASED SELF-RECOVERY SCHEME

193

Fig. 7. Performance comparison under the collage attack. (a) PFA/PFR and (b) PSNR.

Fig. 8 Performance comparison under the only-content tampering and constant-average attack. (a) PFA and (b) PSNR.

long as the collaged region is not greater than 30% of the host image. C. Content-Only Tampering and Constant-Average Attack The third experiment examines the tamper detection and recovery capability of the proposed scheme when the host image is maliciously modied by CT and CAA. The common feature of two modications is that the embedded watermark in the LSB planes of the host image is intact. In this case, the quality of the recovered image would not be severely degraded if the authentic blocks are falsely recovered. On the other hand, if the tampered blocks are undetected, the quality of the recovered image would be severely degraded. Therefore, a low PFA is very important for a high-quality recovered image under CT and CAA. Fig. 8 shows the PFA and PSNR of the proposed scheme, Lins scheme, and Lees scheme under CT and CAA. When only the content of a test image is randomly tampered, it can be seen from Fig. 8(a) that the PFA of Lins scheme is close to zero, the PFA of the proposed scheme is always less than 0.7%, and the PFA of Lees scheme is 100% (the 1/200 of it is 0.5%). This indicates that Lees scheme fails to detect the attacked blocks and the attacked potion of image cannot be recovered. Thus, the recovered image by Lees scheme exhibits the lowest quality. On the other hand, the low PFA by Lins scheme does not transform to a high-quality image recovery. This is mainly due to the fact that, by Lins strategy, the invalid block will not be recovered if the mapping block is invalid. In contrast, our method effectively

recovers all tampered blocks, indicated by the PSNR of higher than 23 dB shown in Fig. 8(b). These results indicate that the proposed scheme can effectively resist the CT attack. As a test image is tampered by CAA, Lins scheme and Lees scheme fail to detect the attacked blocks, indicated by the PFA of 100% shown in Fig. 8(a) (the 1/400 of Lins PFA is 0.25% and the 1/500 of Lees PFA is 0.2%.). Also, the quality of the recovered images by these two schemes is very poor, evidenced by the low PSNRs as shown in Fig. 8(b). This shows that Lins scheme and Lees scheme are not capable of withstanding the constant-average attack. In contrast, our method can effectively identify the tampered blocks with a probability more than 99% under the constant-average attacks, indicated by a PFA less than 0.9%. As illustrated in Fig. 8(b), PSNRs of our scheme are higher than 23 dB at various tampered areas from 0.1% to 80% of the host image. This demonstrates that the proposed scheme can effectively resist the constant-average attacks. D. Multiregion and Multiattack Tampering In the previous three experiments, we only consider single tampered area under single attack. As analyzed in Section III, the proposed method performs well for the tampered blocks in the tamper regions; but the performance degrades for the tampered blocks located on the boundary of the tampered regions. Here we examine the performance of the proposed scheme under spread-distributing multiregion and against multiattack tampering.

194

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012

Fig. 9. Watermarked and tampered images. (a) Barbara: 43.82 dB; (b) water: 44.13 dB; (c) Flinstones: 44.17 dB; (d) hill-water: 44.11 dB; (e) multiregion tampered Barbara; and (f) multiattack tampered water. TABLE I PERFORMANCE COMPARISON OF TAMPER DETECTION AND RECOVERY

Fig. 10. Multiregion tampered Barbara image. Tamper detection results by (a) the proposed method, (b) Lee [20] and (c) He [15]. Recovered images by (d) the proposed method, (e) Lee [20], and (f) He [15].

The Barbara, Water, Flinstones, and Hill-water images with a size of 512 512 pixels are chosen. The watermarked Barbara, Water, Flinstones, and Hill-water were generated by the proposed scheme with the same secret key, shown in Fig. 9(a)(d), with PSNR of 43.82, 44.13, 44.17, and 44.11 dB, respectively. The multiregion tampered Barbara image is shown in Fig. 9(e), in which there are six different distributions of general tampering. They are 1) some letters from ITP Southwest Jiaotong University, 2) the transverse columns tampering, 3) the longitudinal columns tampering, 4) the diagonal columns tampering, 5) many small square regions, and 6) a triangle region. Fig. 9(f)

is the multiattack tampered Water image, in which there are eight tampered regions. For convenience of description, eight tampered regions are marked as , as shown in Fig. 9(f). These modications can be classied into ve attacks: 1) general tampering with a piece of white cloud marked ; 2) content-only tampering: the content (5 MSBs) of is modied by pixel; 3) constant-feature attack: is attacked by modifying some uncoded DCT coefcients of blocks with size of 8 8 pixels, and is modied by the constant-average attack [25]; 4) VQ attack: is replaced with the house in itself by pixel, and is replaced by a turtle of the watermarked Flinstones by block with size of 2 2 pixels without preserving their relative spatial locations within the image; and 5) collage attack: a turtle of the watermarked Flinstones was collaged onto by the 2 2 block and a hill of the watermarked Hill-water was collaged onto by the 8 8 block while preserving their relative spatial locations within the image. Performance comparison of various self-recovery watermarking methods on the multiregion tampered Barbara and the multiattack tampered Water was investigated. Table I summarizes the quantitative results in terms of (tamper ratio), PFA, PFR, and PSNR. Figs. 10 and 11 show the tamper detection and recover results of multiregion

HE et al.: PERFORMANCE ANALYSIS OF A BLOCK-NEIGHBORHOOD-BASED SELF-RECOVERY SCHEME

195

TABLE II CHARACTERISTICS OF VARIOUS SELF-RECOVERY FRAGILE WATERMARKING SCHEMES

Fig. 11. Multiattack tampered water image. Tamper detection results by (a) the proposed method, (b) Lin [18], (c) He [15], (d) Lee [20], and (e) Qian [23]; recovered images by (f) the proposed method, (g) Lin [18], and (h) He [15].

proposed scheme used the 8 bits watermark to detect the validity of the 2 2 pixels and adopt the boundary optimization strategy to decrease the PFA of the tampered blocks located on the boundary of tampered regions. In contrast, the block size is 8 8 pixels in Hes method [15] and only 2 bits authentication data are used to detect the validity of the 2 2 pixels in the Lees method. Although the PFR of our scheme is relatively high (3.62% in the multiregion tampering), it does not have signicant impact on the quality of the recovered image [Fig. 10(d)]. The PSNR of the recovered image is 4 dB higher than that of Lees scheme, about 12 dB higher than that of the Lins scheme, and about 15 dB higher than that of the Hes scheme. For multiattack tampering, the proposed scheme exhibits much better tamper detection performance than other schemes, indicated by the much lower PFA of 0.93%. The methods reported in [15], [18], [20], and [23] cannot resist all the counterfeiting attacks, evidenced by the corresponding PFA of 10.12%, 16.03%, 94.85%, and 42.45%, respectively. Moreover, quality of the recovered image by the proposed scheme tops other methods with the measure by the PSNR of 32.04 dB compared to the 21.48 dB by Hes scheme, 19.83 dB by Lees scheme, and 21.31 dB by Lins scheme. The results are shown in Fig. 11. Qians scheme [23] could not reconstruct the tampered blocks in the multiattack tampered Water image due to that fact that the tamper ratio is large and the tampered watermark data were considered as valid. This demonstrates that the proposed method outperforms other self-recovery fragile watermarking algorithms in tamper detection and recovery under multiregion and multiattack tampering. Comparison of characteristics of the considered self-recovery watermarking schemes against attacks is summarized in Table II. V. CONCLUSION We have proposed a block-neighborhood-based self-recovery watermarking method with superior localization and recovery quality. The method generates the block-mapping sequence randomly by the secret key, and adopts the neighborhood characterization to design an automatic tamper detection scheme that improves the quality of the recovered image. Analytical expressions of the probabilities of false acceptance and false rejection for the proposed tamper detection method under various malicious tampering and the selection of the predened thresholds of optimization strategies have been derived and analyzed. Experiment results have veried our theoretical analysis and have

and multiattack tampering by the proposed scheme, the methods in [15], [17], [20] and [23]. All reported self-recovery schemes can detect the multiregion general tampering on a watermarked image. As shown in Table I, Qians scheme [23] has the smallest PFA but fails to reconstruct the tampered blocks in the multiregion tampered Barbara image. This is due to that fact that the tamper ratio is larger than 35% of the host image. The proposed scheme has the smaller number (0.14%) of tampered blocks falsely accepted, whereas PFAs by Lees scheme and Hes scheme are of 6.06% and 18.93%, respectively. This is mainly due to the fact that the

196

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012

demonstrated the superiority of the proposed scheme in comparison to other self-recovery fragile watermarking algorithms. REFERENCES
[1] M. Yeung and F. Mintzer, An invisible watermarking technique for image verication, in Proc. Int. Conf. Image Processing, Oct. 1997, vol. 1, pp. 680683. [2] P. Wong and N. Memon, Secret and public key image watermarking schemes for image authentication and ownership verication, IEEE Trans. Image Process., vol. 10, no. 10, pp. 15931601, Oct. 2001. [3] J. Fridrich, Security of fragile authentication watermarks with localization, in Proc. SPIE, Security and Watermarking of Multimedia Contents, San Jose, CA, Jan. 2002, vol. 4675, pp. 691700. [4] M. Celik, G. Sharma, E. Saber, and A. M. Tekalp, Hierarchical watermarking for secure image authentication with localization, IEEE Trans. Image Process., vol. 11, no. 6, pp. 585595, Jun. 2002. [5] E. Izquierdo and V. Guerra, An ill-posed operator for secure image authentication, IEEE Trans. Circuits Syst. Video Technol., vol. 13, no. 8, pp. 842852, Aug. 2003. [6] S. Suthaharan, Fragile image watermarking using a gradient image for improved localization and security, Pattern Recognit. Lett., vol. 25, pp. 18931903, 2004. [7] S.-H. Liu, H.-X. Yao, W. Gao, and Y.-L. Liu, An image fragile watermark scheme based on chaotic image pattern and pixel-pairs, Appl. Math. Comput., vol. 185, no. 2, pp. 869882, 2007. [8] D. Kundur and D. Hatzinakos, Digital watermarking for telltale tamper proong and authentication, Proc. IEEE, vol. 87, no. 7, pp. 11671180, Jul. 1999. [9] M. Holliman and N. Memon, Counterfeiting attacks on oblivious block-wise independent invisible watermarking schemes, IEEE Trans. Image Process., vol. 9, no. 3, pp. 432441, Mar. 2000. [10] J. Fridrich, M. Goljan, and N. Memon, Cryptanalysis of the YeungMintzer fragile watermarking technique, J. Electron. Imag., vol. 11, pp. 262274, 2002. [11] H. J. He, J. S. Zhang, and H.-M. Tai, A wavelet-based fragile watermarking scheme for secure image authentication, in Proc. 5th Int. Workshop on Digital Watermarking, Korea, Nov. 2006, pp. 422432. [12] J. Fridrich and M. Goljan, Images with self-correcting capabilities, in Proc. ICIP99, Kobe, Japan, Oct. 1999, pp. 2528. [13] J. Fridrich and M. Goljan, NJIT, Protection of digital images using self-embedding, in Proc. Symp. Content Security and Data Hiding in Digital Media, NJ, May 14, 1999. [14] X. Zhu, A. Hob, and P. Marziliano, A new semi-fragile image watermarking with robust tampering restoration using irregular sampling, Signal Process., Image Commun., vol. 22, no. 5, pp. 515528, 2007. [15] H. He, J. Zhang, and F. Chen, Adjacent-block based statistical detection method for self-embedding watermarking techniques, Signal Process., vol. 89, pp. 15571566, 2009. [16] X. Zhang and S. Wang, Fragile watermarking scheme with extensive content restoration capability, in Proc. IWDW 2009, 2009, vol. 5703, LNCS, pp. 268278. [17] P. L. Lin, P. W. Huang, and A. Peng, A fragile watermarking scheme for authentication with localization and recovery, in Proc. IEEE 6th Int. Symp. Multimedia Software Engineering, 2004, pp. 399407. [18] P. L. Lin, C. K. Hsieh, and P. W. Huang, A hierarchical digital watermarking method for image tamper detection and recovery, Pattern Recognit., vol. 38, pp. 25192529, 2005. [19] M. S. Wang and W. C. Chen, A majority-voting based watermarking scheme for color image tamper detection and recovery, Comput. Standards Interfaces, vol. 29, no. 5, pp. 561570, 2007. [20] T.-Y. Lee and S. D. Lin, Dual watermark for image tamper detection and recovery, Pattern Recognit., vol. 41, no. 2, pp. 34973506, 2008. [21] H. He, J. Zhang, and H.-M. Tai, Self-recovery fragile watermarking using block-neighborhood tampering characterization, in Proc. 11th Intl. Workshop, IH 2009, Darmstadt, Germany, Jun. 710, 2009. [22] X. Zhang and S. Wang, Fragile watermarking with error-free restoration capability, IEEE Trans. Multimedia, vol. 10, no. 8, pp. 14901499, Dec. 2008. [23] Z. Qian, G. Feng, X. Zhang, and S. Wang, Image self-embedding with high-quality restoration capability, in Proc. Digital Signal Processing, 2011, vol. 21, pp. 278286. [24] C. Yang and J. Shen, Recover the tampered image based on VQ indexing, Signal Process., vol. 90, pp. 331343, 2010.

[25] C. Chang, Y. Fan, and W. Tai, Four-scanning attack on hierarchical digital watermarking method for image tamper detection and recovery, Pattern Recognit., vol. 41, pp. 654661, 2008. [26] H. He, J. Zhang, and H. Wang, Synchronous counterfeiting attacks on self-embedding watermarking schemes, Int. J. Comput. Sci. Netw. Security, vol. 6, no. 1B, pp. 251257, 2006.

Hongjie He received the Ph.D. degree in signal and information processing from Southwest Jiaotong University, China. Currently, she is an associate professor of Southwest Jiaotong University, Chengdu, China. Her research interests are in the areas of digital forensics and image processing.

Fan Chen received the M.S. degree in computer software and theory from Chengdu Branch, Chinese Academy Sciences. Currently, he is an associate professor of Southwest Jiaotong University, Chengdu, China. His research interests include multimedia security and digital watermarking.

Heng-Ming Tai (S82M82SM94) received the B.S. degree from National Tsing-Hua University, Taiwan, and the M.S. and Ph.D. degrees from Texas Tech University, all in electrical engineering. He is a professor in the Department of Electrical Engineering at the University of Tulsa. His research interests are in the areas of signal and image processing and industrial electronics. Dr. Tai is a member of Eta Kappa Nu.

Ton Kalker is a Distinguished Technologist at Hewlett-Packard Laboratories, Palo Alto, CA. Joining Hewlett-Packard in 2004, he focused his research on the problem of noninteroperability of DRM systems. He became one of the three lead architects of the Coral consortium, publishing a standard framework for DRM interoperability in 2007. His interests include signal and audiovisual processing, media security, and information theory.

Jiashu Zhang received the Ph.D. degree in communication and information systems from the University of Electronic Science and Technology, China. Currently, he is a Professor of Southwest Jiaotong University, Chengdu, China. His current research interests include information security, signal processing, and nonlinear system.