Fingerprinting systems and collusion attacks

If we look at both the digital fingerprinting process and the collusion attack process collectively, then the complete system may be viewed as consisting of three main parts: fingerprint embedding, collusion attacks, and fingerprint detection. We now look at each of these components individually.

Fingerprint embedding. At the content owner’s side, for each user in the system, he generates a unique fingerprint of the same size as the host signal. Due to its ro- bustness against many attacks by a single adversary, spread-spectrum embedding [23,24] is applied to hide fingerprints in the host signal and human visual models are used to guarantee the imperceptibility of the embedded fingerprints. Finally, the content owner distributes the fingerprinted copies to the corresponding users. Assume that there are a total ofMusers in the system. Given a host signal rep- resented by a vectorxof lengthN, assume thatsiis the fingerprint for theith user wherei=1, 2,. . .,M, and it has lengthN. In orthogonal fingerprint modulation, theMfingerprints are generated independently. The fingerprinted copyyithat is distributed to theith user is generated by

whereyi(j),x(j), andsi(j) are the jth components of the fingerprinted copy, the original signal, and the fingerprint, respectively. JND here is thejust-noticeable- differencefrom human visual models [24] to control the energy of the embedded fingerprints so as to ensure their imperceptibility.

Collusion attacks. To examine families of nonlinear collusion, the averaging-based collusion attack is used as the benchmark to measure the effectiveness of collusion. The set of typical nonlinear collusion that are considered includes

(i) minimum/maximum/median attack: under these attacks, the colluders create an attacked signal, in which each component is the minimum, maximum, and median, respectively, of the corresponding components of the fingerprinted signals associated with the colluders;

(ii) minmax attack: each component of the attacked signal is the average of the maximum and minimum of the corresponding components of the fingerprinted signals;

(iii) modified negative attack: each component of the attacked signal is the difference between the median and the sum of the maximum and mini- mum of the corresponding components of the fingerprinted signals; (iv) randomized negative attack: each component of the attacked signal takes

the value of the maximum of the corresponding components of the fingerprinted signals with probability p, and takes the minimum with probability 1−p.

In order to make it easier to acquire analytical insight, we typically assume that the nonlinear collusion attacks are performed in the same domain of features as the fingerprint embedding process. Further, we note that it is possible to evaluate the performance for these attacks when the attack domain and the embedding domain differ by performing experimental studies.

Assume thatKout ofMusers collude andSC= {i1,i2,. . .,iK}is the set con-

taining the indices of the colluders. The fingerprinted copies that are received by theseKcolluders are{yk}k∈SC. The colluders generate the jth component of the attacked copyy(j) using one of the following collusion functions:

average attack :yave(j)=

k∈SC yk(j)

K ,

minimum attack :ymin(j)=min yk(j) k∈SC , maximum attack :ymax(j)=max

yk(j) k∈SC , median attack :ymed(j)=med

yk(j) k∈SC , minmax attack :yMinMax(j)=

ymin(j) +ymax(j)

2 ,

modified negative attack :yModNeg(j)=ymin(j) +ymax(j)−ymed(j),

randomized negative attack :yRandNeg(j)=   

ymin(j) with prob.p, ymax(j) with prob. 1−p.

Multimedia fingerprinting system model 35 In (3.21), min({yk(j)}k∈SC), max({yk(j)}k∈SC), and med ({yk(j)}k∈SC) return the minimum, the maximum, and the median values of{yk(j)}k∈SC, respectively. The colluded copy isy = [y(1),y(2),. . .,y(N)]. For the fingerprint embedding and collusion attack model in this section, applying the collusion attacks to the fin- gerprinted copies is equivalent to applying the collusion attacks to the embedded fingerprints. For example,

ymin(j)=min yk(j) + JND(j)·sk(j) k∈SC =xj+ JNDj·min sk(j) k∈SC . (3.22)

Fingerprint detection and colluder identification. In many fingerprinting applica- tions, the original signal is often available at the detector, and therefore, a non- blind detection scenario is feasible. Since a nonblind detection process operates at a higher effective watermark-to-noise ratio, it is preferable for the colluder de- tection scheme to use nonblind detection whenever possible. The nonblind detec- tor first removes the host signal from the test copy before colluder identification. Then, it extracts the fingerprint from the test copy, measures the similarity be- tween the extracted fingerprint and each of the original fingerprints, compares with a threshold, and outputs the estimated identities of the colluders.

Under the nonlinear collusion attacks in (3.21), the extracted fingerprint is

w=gsk

k∈SC

, (3.23)

whereg(·) is a collusion function defined in (3.21). To test the presence of the original fingerprintsi in the extracted fingerprintw, we use the three detection statistics discussed inChapter 2:TN,z, andq. Note that all three detection statistics are correlation-based in which the correlation between the extracted fingerprintw and the original fingerprintsiis the kernel term, and they differ primarily in the way of normalization.