CN115526758A - Hadamard transform screen-shot-resistant watermarking method based on deep learning - Google Patents

Abstract

The invention discloses a Hadamard transform screen-shot-resisting watermark method based on deep learning, and belongs to the technical field of watermarks. The invention combines the Convolution Neural Network (CNN) and the residual block, and realizes the end-to-end process of embedding and extracting the watermark in the Hadamard domain. The invention adds the screen shot attack into the middle of the embedding layer and the extracting layer by simulating the screen shot attack so as to ensure that the network can stably embed the watermark. The method can efficiently extract the watermark information according to the photos of the candid, and carry out copyright protection on the digital media. The invention uses the transform domain to embed the watermark, so that the watermark is diffused in a wider image range, and the characteristic has a better effect of improving the robustness of the watermark algorithm. The superiority of the invention in imperceptibility and robustness is demonstrated by comparison with the related art.

Description

Hadamard transform anti-screen watermarking method based on deep learning

technical field

The invention belongs to the technical field of watermarking, and in particular relates to a Hadamard transform anti-screen watermarking method based on deep learning. The method can efficiently extract watermark information from photos of sneak photographers, and perform copyright protection on digital media.

Background technique

As a new medium for carrying knowledge and disseminating information, electronic screens have become an indispensable part of people's daily life. Electronic screens have greatly changed the way people read. Contemporary people choose screen reading instead of paper reading.

At the same time, with the widespread use of smart phones, the process of taking pictures has become simple and easy. In the field of information security, stealing sensitive information within the unit through screen photography, video recording and other means has gradually become the main way of important information leakage.

Screen shot (that is, screen shot) leaks and forensics has become a hot issue. In order to solve the problem of leaks, many departments and companies need to deploy screen capture traceability systems to collect evidence for leaks, form a deterrent capability, and avoid the launch of leaks. Specifically, it is mainly divided into active defense before the event and well-documented after the event. The traceability information is hidden in the controlled terminal in advance, and the client is arranged to warn. The system deployment forms a huge deterrent effect, effectively reducing the willingness of leakers. On the other hand, when the confidential information is leaked, the source of the leak and the responsible person can be found through the traceability system, so that the leaker cannot deny it, and the responsibility of the related party can be effectively investigated, so as to ensure the copyright information of the confidential organization and ensure information security. At present, the application of deep learning technology in the field of watermarking algorithm is growing rapidly, because it can effectively solve the process of watermark embedding and extraction. The existing digital watermarking technology can effectively solve the problems of multimedia data copyright protection, but how to design a digital watermarking algorithm that can resist screen capture attacks is still a difficult problem. Traditional digital watermarking algorithms can effectively resist common types of attacks, such as image processing, geometric transformation, etc., but because screen capture attacks are a complex process, when shooting images displayed on the screen, both images and watermarks have to go through a series of Analog-to-digital and digital-to-analog conversion processes that present a powerful combination of attacks. At present, there are few researches on digital watermarking algorithms against screen capture attacks. Therefore, how to improve the robustness of the algorithm against screen shooting in the digital watermarking algorithm is a technical problem to be solved urgently.

The application of convolutional neural networks to watermarking has recently emerged due to the rapid development of machine learning tools and deep networks in various computer vision and image processing fields.

Contents of the invention

The purpose of the present invention is to solve the problem that the digital watermarking algorithm in the prior art is difficult to resist the screen shot attack, and proposes a Hadamard transform anti-screen shot watermarking method based on deep learning. The invention combines a convolutional neural network (CNN) and a residual block to realize an end-to-end process of embedding and extracting a watermark in the Hadamard domain. In addition, the present invention adds a module for simulating screen capture attacks between the watermark embedding layer and the extraction layer to ensure that the network is robust and embedded watermarks can extract watermark information from leaked photos, thereby realizing copyright protection.

The technical scheme that the present invention specifically adopts is as follows:

A Hadamard transform anti-screen watermarking method based on deep learning, which includes:

S1. Construct a watermark model framework composed of a watermark embedding module, an attack simulation module and a watermark extraction module;

The watermark embedding module is formed by cascading the first Hadamard transformation layer, the first convolution module and the Hadamard inverse transformation layer, and its input is the watermark to be embedded and the original image to be embedded with the watermark; the original image of the single channel is pre-segmented It is a series of first image blocks of the same size, each first image block is input into the first Hadamard transformation layer and transformed from the spatial domain to the frequency domain by Hadamard transformation, and the two-dimensional transformation results of each first image block are spliced along the channel dimension Finally, the first transformed feature map is obtained, and then the watermark to be embedded is embedded in the first transformed feature map to obtain the second transformed feature map, and the second transformed feature map is input into the first convolution module for convolution operation, thereby obtaining the The third transformation feature map with the same number of channels in the first transformation feature map, the third transformation feature map is input into the Hadamard inverse transformation layer channel by channel, and the Hadamard inverse transformation is used to transform from the frequency domain back to the space domain, and the two-dimensional transformation results of each channel are re-pressed. The intermediate image with the same size as the original image is obtained by sequential splicing and restoration, and the intermediate image is superimposed on the original image and output as a single-channel watermarked image;

A variety of attack operations including screen shot attacks are built into the attack simulation module, the input of which is the watermarked image, and each attack operation can attack the watermarked image and generate a single-channel victim The watermarked image after the attack; and the moiré attack in the screen shot attack is realized by the moiré attack network, the moiré attack network is trained by the U-Net network, the input is a watermarked image, and the output is after adding noise through the moiré attack The watermarked image;

The watermark extraction module is formed by cascading the second Hadamard transformation layer and the second convolution module, and its input is the attacked watermarked image of a single channel; the attacked watermarked image is pre-segmented into a series of For the second image blocks of the same size, each second image block is input into the second Hadamard transformation layer and transformed from the spatial domain to the frequency domain through Hadamard transformation, and the two-dimensional transformation results of each second image block are spliced along the channel dimension to obtain the first Transform the feature map four times, and then input the fourth transformed feature map into the second convolution module to perform a convolution operation to obtain a watermark extraction result;

S2. Use the training data to iteratively train the watermark model framework by minimizing the total loss function, and the watermark extraction module selects different attack operations in different training rounds to perform the watermarked image output by the watermark embedding module Attack, each round of training selects an attack operation, and all training rounds cover all attack operations; the total loss function is weighted by the biased reciprocal of the normalized cross-correlation loss and the structural similarity index loss;

S3. After the training of the watermark model framework is completed, the watermark embedding module is used to embed the watermark, and the watermarked image with the watermark is output, and for the image requiring watermark extraction, directly input it into the watermark extraction module for watermark extraction.

Preferably, the expression of the total loss function is as follows:

Among them: L _w represents the normalized cross-correlation coefficient of the original embedded watermark and watermark extraction results, L _I represents the structural similarity index between the original image and the watermarked image, C ₃ and C ₄ are two weak points used to stabilize the denominator variable.

Preferably, both α and β are decimals greater than 0 and less than 1, and satisfy α+β=1.

Preferably, the values of C ₁ , C ₂ , C ₃ , and C ₄ are 10 ^-4 , 9×10 ^-4 , 10 ^-2 and 3×10 ^-2 , respectively.

Preferably, the watermark to be embedded is embedded in the first transformed feature map by splicing the watermark to be embedded and the first transformed feature map along the channel dimension.

Preferably, the first convolution module and the second convolution module respectively include 5 convolution layers.

Preferably, the screen shooting attack includes multiple attack operations of perspective transformation, light distortion, JPEG distortion and moiré mode.

Preferably, the attack simulation module also includes non-screen shot attacks, specifically including various attacks on images such as blurring, cropping, Gaussian noise, mosaic noise, scaling, rotation, sharpening, watermarking, display distortion, brightness and contrast operate.

Preferably, in the training process of the moiré attack network, a series of watermarked image samples x _i and corresponding watermarked images y _i after moiré attack with noise added are used as input samples, and by minimizing the loss function L _m to U -Net network for training; where the form of the loss function L _m is:

In the formula: m is the total number of samples used for training, and f( _xi ) is the prediction result output by the U-Net network for the input watermarked image sample _xi .

Preferably, in said S3, the image requiring watermark extraction is a confidential photo in which the watermarked image generated by the watermark embedding module is leaked through screen capture.

Compared with the prior art, the beneficial effects of the present invention are as follows:

In the present invention, a deep end-to-end robust anti-screen watermarking method is proposed, which can learn a new watermarking algorithm in the Hadamard transform space. The algorithmic framework consists of two fully convolutional neural networks with residual blocks, which handle embedding and extraction operations in real time. End-to-end training of the entire deep network for blind secure watermarking. The anti-screen watermarking method proposed by the present invention uses the simulated screen attack as a differentiable network layer to facilitate end-to-end training, and at the same time, the security of the algorithm is enhanced by spreading the watermark data to a wider area of the image through the transform domain and robustness. The comparison with the latest research results shows that the algorithm framework proposed by the present invention has advantages in concealment, robustness and speed.

Description of drawings

Figure 1 is the overall flow chart of the watermark model framework.

Figure 2 is the image PSNR obtained by the embedding algorithm in the watermark embedding module.

Figure 3 shows the difference of the watermark before and after embedding the original input image, where the first row is the original image, the second row is the watermarked image, and the third row is the difference map before and after watermark embedding.

Figure 4 shows some Hadamard transformation coefficients.

Figure 5 shows the screenshot attack display.

Figure 6 is a schematic diagram of the U-Net network structure trained on the Moiré dataset.

Figure 7 shows the test results of the Moiré network, where the first row is the pure input graph, and the second row is the output graph with the Moiré mode added.

detailed description

The present invention will be further elaborated and illustrated below in conjunction with the accompanying drawings and specific embodiments.

The development of multimedia technology is closely related to the needs of leakage sources. The development of multimedia technologies such as audio, image, and video has brought new challenges to leak source location methods, so digital watermarking algorithms, as an important means to achieve leaks, have received extensive attention. For different multimedia technologies, audio watermarking schemes, image watermarking schemes, and video watermarking schemes have been proposed in the prior art. However, with the development of digital technology, the transmission process of multimedia information has undergone tremendous changes, which puts forward new requirements for leakage sources. For traditional ways of stealing information, such as scanning and when sending commercial documents or copying electronic documents, the traditional robust image watermarking scheme can be used to track the source of the leak, which is used in image processing attacks. However, with the popularization of smartphones, photography has become the simplest and most effective way of information transmission, which brings new challenges to leak tracking. Anyone with access to the files can leak information by taking a photo without leaving any records. In addition, the camera shooting process is not easy to be monitored or blocked by the outside world, so it is very important to design a watermarking scheme that resists screen capture attacks to solve this problem. Screenshot image watermarking schemes can provide strong guarantees for leak tracking. The present invention can embed relevant watermark information in the original image, and when these files are secretly photographed, the corresponding information can be extracted from the photo, thereby locating the leaked equipment or employee information, and narrowing the scope of investigation according to information locating, so as to realize accountability process.

The specific implementation of a Hadamard transform anti-screen watermarking method based on deep learning proposed in the present invention will be described in detail below.

S1. Construct a watermark model framework composed of a watermark embedding module, an attack simulation module and a watermark extraction module.

The watermark model framework adopted in the present invention is composed of three parts, which are respectively: a watermark embedding module, an attack simulation module and a watermark extraction module. In the watermark embedding module, the embedded component is used to embed the watermark into the Hadamard coefficient of the image, and the image is modified to obtain the Hadamard coefficient feature of the image. The attack simulation module is used to simulate a series of screen capture attacks and distortions generated in traditional attacks during the screen capture process, such as perspective transformation, light distortion, JPEG distortion, moiré patterns, etc. In particular, the present invention designs a moiré attack network in the attack simulation module to simulate the moiré phenomenon, which is the most common screen capture attack, so as to improve the recovery ability of the watermark image against distortion in the real screen capture scene. The watermark extraction module extracts watermarks from captured photos. The overall flow chart of the above framework is shown in Figure 1, and the specific data processing process in the three modules will be described in detail below.

The above watermark embedding module is used to embed the watermark into the original image, minimize the perceptual difference between the original image and the watermark image, and improve the imperceptibility and security of the watermark image. As shown in Figure 1, the watermark embedding module is formed by cascading the first Hadamard transform layer (Hadamard Transform), the first convolution module and the Hadamard inverse transform layer (InverseHadamard Transform), and the input of the watermark embedding module is the watermark to be embedded ( Watermark)W _o and the original image I _o to be embedded with watermark. The single-channel original image I _o is pre-cut into a series of first image blocks I _p of the same size, and each first image block I _p is input into the first Hadamard transform layer and transformed from the spatial domain to the frequency domain by Hadamard transform, and each The two-dimensional transformation result I' _p of the first image block I _p is spliced along the channel dimension to obtain the first transformation feature map H _o , and then the watermark W _o to be embedded is embedded in the first transformation feature map H _o to obtain the second transformation feature map H o Transform the feature map H ₁ , input the second transformed feature map H ₁ into the first convolution module for convolution operation, so as to obtain the third transformed feature map H ₂ with the same number of channels as the first transformed feature map H _o , and convert the second transformed feature map H 2 to The three-transform feature map H ₂ is input channel by channel into the Hadamard inverse transform layer and transformed from the frequency domain back to the space domain through the Hadamard inverse transform. The two-dimensional transformation result H' _2i of each channel is re-spliced and restored in the order of segmentation to obtain the same size as the original image. The intermediate image I' is superimposed on the intermediate image I' and the original image and then output as a single-channel watermarked image I _o .

It should be noted that after the Hadamard inverse transformation is performed on the third transformation feature map H ₂ channel by channel, each channel will get a two-dimensional transformation result H' _2i , and these two-dimensional transformation results H' _2i are spliced into an intermediate image When , it is necessary to splicing according to the corresponding order in which the original image I _o is divided into the first image block I _p , so as to realize image restoration.

In the present invention, the way of embedding the watermark to be embedded into the first transformed feature map is: splicing the watermark to be embedded and the first transformed feature map along the channel dimension. Since the watermark image W _o needs to be spliced in the first transformed feature map, in order to ensure that its size meets the splicing requirements, the size of the first image block I _p formed by segmenting the original image I _o needs to be consistent with the watermark image W _o . If the size of the original image I _o is X×Y, and the size of the watermark image W _o is H×G, then the original image I _o of size X×Y needs to be divided into a series of first image blocks I _p of size H×G . In the present invention, considering the actual characteristics of the image and the needs of watermark embedding, the length and width of the image are set to be consistent, that is, X=Y=M, and the length and width of the watermark image W _o are also consistent in size, that is, H×G=N, M The specific values of N and N can be adjusted according to actual conditions, but M should be divisible by N, for example, M=512 and N=32.

As shown in Figure 1, the above-mentioned attack simulation module is located between the watermark embedding module and the watermark extraction module, and its function is to simulate the attack operation during the training process of the watermark embedding module and the watermark extraction module, and then introduce noise into the watermarked image _Io . The above-mentioned attack simulation module has built-in various attack operations including screen shot attack, and its input is the watermarked image I _o , each attack operation can attack the watermarked image I _o and generate a single-channel attacked After the watermarked image. And because the moiré attack is the most common type of attack, the moiré attack in the screen capture attack is implemented by the moiré attack network, which is trained by the U-Net network. The input is the watermarked image I _o , and the output is the moiré attack Watermarked image after adding noise.

The specific network structure of the U-Net network belongs to the prior art, and the training method of the network also belongs to the prior art. In the present invention, during the training process of the moiré attack network, a series of watermarked image samples x _i and corresponding watermarked images y _i after moiré attack with noise added are used as input samples, and by minimizing the loss function L _m to U -Net network for training. The form of the loss function L _m is:

In the formula: m is the total number of samples used for training, and f( _xi ) is the prediction result output by the U-Net network for the input watermarked image sample _xi .

It should be noted that the specific form of the screen capture attack can be adjusted according to the actual situation, and the present invention can include various attack operations such as perspective transformation, light distortion, JPEG distortion and moiré mode. In addition, in order to enhance the robustness, in addition to the screen capture attack, the attack simulation module also needs to include non-screen capture attacks, including blurring, cropping, Gaussian noise, mosaic noise, scaling, rotation, sharpening, floating Various attack operations such as watermark, display distortion, brightness and contrast. Except for the moiré attack, other attack operations can be realized by directly calling image processing functions or operations.

As shown in Figure 1, the above-mentioned watermark extraction module is formed by cascading the second Hadamard transformation layer and the second convolution module, and its input is a single-channel attacked watermarked image. The attacked watermarked image is pre-cut into a series of second image blocks of the same size, and each second image block is input into the second Hadamard transformation layer and transformed from the spatial domain to the frequency domain through Hadamard transformation, and each second image block After splicing the two-dimensional transformation results of the blocks along the channel dimension, the fourth transformation feature map H ₃ is obtained, and then the fourth transformation feature map H ₃ is input into the second convolution module for convolution operation, and the watermark extraction result w _e is obtained.

It should be noted that the above-mentioned first convolution module and the second convolution module of the present invention respectively contain 5 layers of convolution layers. Of course, the specific number of convolution layers and the convolution kernel parameters of each layer can also be optimized according to the actual situation. .

S2. After constructing the watermark model framework shown in Figure 1 above, the training data can be used to iteratively train the watermark model framework by minimizing the total loss function, and in order to ensure that the trained watermark extraction model can resist different Attack, the watermark extraction module selects different attack operations in different training rounds to attack the watermarked image output by the watermark embedding module, but each round of training selects an attack operation, and all training rounds cover all attack operations.

The specific total loss function used in the iterative training of the watermark model framework in the present invention can be optimized according to the actual situation. In the present invention, the overall loss function can be weighted by the biased inverse of the normalized cross-correlation loss and the structural similarity index loss. The expression of the specific total loss function is as follows:

Among them: L _w represents the normalized cross-correlation loss, and the calculation formula is:

L _I represents the structural similarity index loss, and the calculation formula is:

和

分别是所有I_o(x,y)的平均值和所有I_w(x,y)的平均值，

和

分别是所有I_o(x,y)的方差和所有I_w(x,y)的方差，C₁、C₂、C₃和C₄分别是四个弱变量超参数，α和β为两个权值超参数。In the formula: w _o (h, g) is the pixel value at the coordinate position (h, g) of the original embedded watermark with a size of H×G, and w _e (h, g) is the coordinate position (h, g) in the watermark extraction result The pixel value at g); I _o (x, y) is the pixel value at the coordinate position (x, y) in the original image I _o of size X×Y, and I _w (x, y) is the watermarked image I The pixel value at the coordinate position (x, y) in _w ,

and

are the mean of all I _o (x,y) and the mean of all I _w (x,y), respectively,

and

are the variance of all I _o (x, y) and the variance of all I _w (x, y), respectively, C ₁ , C ₂ , C ₃ and C ₄ are four weak variable hyperparameters, and α and β are two Weight hyperparameters.

In the present invention, both α and β can be set to be decimals greater than 0 and less than 1, and satisfy α+β=1, preferably α=β=0.5. In addition, the values of C ₁ , C ₂ , C ₃ , and C ₄ can be selected to be 10 ^-4 , 9×10 ^-4 , 10 ^-2 , and 3×10 ^-2 , respectively.

S3. After the training of the above watermark model framework is completed, the watermark embedding module can be used for watermark embedding, and the watermarked image with watermark is output, and for the image that needs to be extracted, directly input it into the watermark extraction module for watermark extraction .

However, it should be noted that in the above S3, the attack simulation module in Figure 1 is no longer needed, because in the actual application scenario, the attack noise at this time is introduced by the process of actually capturing the secret on the screen. Therefore, in S3, the image that needs to be input to the watermark extraction module for watermark extraction is the watermarked image generated by the watermark embedding module, and the confidential photo produced when it is leaked through the screen shooting method. When these confidential photos are secretly photographed and leaked, the corresponding information can still be extracted from the photos, so as to locate the leaked equipment or employee information.

In the following, the methods shown in S1-S3 above are applied to a specific example to demonstrate the technical effects that can be achieved.

Example

The specific method process in this embodiment is shown in S1-S3 above, and will not be described in detail here. The following mainly shows its specific implementation details and technical effects.

First, construct a watermark model framework. The watermark model framework used in this embodiment consists of three parts, namely: a watermark embedding module, an attack simulation module and a watermark extraction module. The specific data processing process in the three modules is as described above, and will not be repeated here.

(1) Watermark embedding module

The watermark embedding module is responsible for embedding the watermark into the transform coefficients of the image. In this embodiment, a CNN architecture is used, an original image in the form of a single-channel grayscale image of 512*512 pixels is used as input, and a single-channel watermarked image is output. The input watermark is represented as a two-dimensional image of 32*32 size, so the original image is also divided into 16*16 image blocks of 32*32 size. The Hadamard-transformed image block and the watermark image are spliced into a (16*16)+1-dimensional tensor along the channel direction and then input to the first convolution module for convolution. Restore the watermarked image. In this embodiment, the Hadamard transform layer is implemented by using a convolution kernel with a size of 1*1. The first convolution module contains 5 convolutional layers, and the convolution kernel sizes are 1*1, 2*2, 2*2, 2*2, and 2*2. Figure 2 shows the imperceptibility of the embedding algorithm in the watermark embedding module with PSNR. It can be seen from Figure 2 that the imperceptibility of this algorithm is relatively ideal, and the average PNSR is 36.62. Figure 3 shows the difference before and after the watermark is embedded in the original input image. From a subjective point of view, the image watermark after the watermark is embedded is relatively invisible. Since the embedding algorithm performs watermark embedding in the Hadamard transform domain, Figure 4 shows some Hadamard transform coefficients, and it can be seen that the absolute values of the Hadamard transform coefficients are the same.

(2) Attack simulation module

Through the theoretical analysis of screen shooting attacks, the attacks caused during the screen shooting process can be divided into: perspective transformation, optical distortion, brightness change, JPEG compression, moiré mode, and visualize different attack results, as shown in Figure 5. Among them, the moiré attack is the most common attack type. Therefore, the present invention constructs a U-Net network to train and test the moiré attack, and its network structure diagram is shown in FIG. 6 . The loss function for the Moiré trained network is as described previously. Figure 7 is the test result picture obtained through the test chart after the U-Net network is trained. From Figure 7, it can be easily observed that the original pure picture will automatically add moiré mode after passing through the U-Net network, realizing the screen capture process. The moiré simulates the attack. The trained network is added between the watermark embedding module and the watermark extraction module as a noise layer to increase the robustness of the screen capture algorithm and the diversity of attacks. In addition, mixed attacks may occur in many cases during the screen capture process, including traditional attacks and screen capture attacks. This embodiment simulates all the above attacks in the attack simulation layer, as shown in Table 1. Screenshot attacks include perspective transformation (Perspective), light distortion (Light), JPEG distortion (JPEG) and moiré mode (Moiré) attack operations, and non-screenshot attacks specifically include image blurring (Blurring) and cropping (Cropping) , Gaussian noise, Block noise, Scaling, Rotation, Sharpening, Visible watermark, Display distortion, Brightness and contrast (Display distortion) various attack operations.

Table 1 Different attack parameters of the attack simulation layer

(3) Watermark extraction module

The watermark extraction module is used to extract watermarks from watermarked images subjected to screen capture attacks. The watermark is embedded in the Hadamard domain, and the watermark image is transformed to the Hadamard domain before extracting the watermark. The watermarked image is extracted by Hadamard transformation layer and a series of convolutional layers in the second convolutional module. In this embodiment, the Hadamard transformation layer here is implemented by a convolution kernel with a size of 1*1, and the first convolution module contains 5 layers of convolution layers, and the convolution kernel sizes are 1*1, 2* 2, 2*2, 2*2, and 1*1.

The algorithm needs to ensure the maximum watermark image quality and the minimum watermark extraction error rate to balance the imperceptibility and robustness of the algorithm. Therefore, the invention in this embodiment introduces Peak signal-to-noise ratio (PSNR) and structural similarity index (SSIM) to ensure the imperceptibility of the image, and normalized cross-correlation (NC) and bit error rate (BER) are used to describe The robustness of the algorithm. In order to balance the robustness and imperceptibility of the algorithm, a loss function based on the coupling of NC and SSIM is adopted here. The specific description is as follows:

和

是平均值，

和

分别是I_o(x,y)和I_w(x,y)的方差，C1和C2是用来稳定分母的两个弱变量。公式(5)是总的损失函数，由NC和SSIM两部分组成，α＝β＝0.5，并且C₁和C₂的值分别为10^-4，9*10^-4，C₃、C₄的值分别为10^-2和3×10^-2。Formula (1) describes the mean square error, I _o (x, y) is the original image of size X×Y, and I _w (x, y) is the watermarked image after embedding the watermark. Equation (2) is an expression of PSNR. Equation (3) is the expression of NC, w _o (h, g) is the original embedded watermark image of size H×G, and we ₍ h, g) is the extracted watermark image. Equation (4) describes the expression form of SSIM,

and

is the mean value,

and

are the variances of I _o (x,y) and I _w (x,y) respectively, and C1 and C2 are two weak variables used to stabilize the denominator. Formula (5) is the total loss function, which is composed of NC and SSIM, α=β=0.5, and the values of C ₁ and C ₂ are 10 ^-4 , 9*10 ^{-4 ,} C ₃ , C ₄ The values are 10 ^-2 and 3×10 ^-2 , respectively.

Using the training data set, the watermark model framework is iteratively trained by minimizing the total loss function L _t , and the watermark extraction module selects different attack operations in different training rounds to attack the watermarked image output by the watermark embedding module, each round Select an attack operation for training, and all training rounds cover all attack operations. After training to the maximum number of iterations, the training is completed.

After the training of the watermark model framework is completed, the trained watermark model framework only needs to be tested. During the test, the watermark embedding module is used to embed the watermark, and the watermarked image with the watermark is output, and the watermark model framework is continuously used to introduce noise into the watermarked image generated by the watermark embedding module through different attack forms, and then it is directly input into the watermark Watermark extraction is performed in the extraction module to test its robustness against attacks. In this embodiment, various attack types are tested, and the BER index is used to demonstrate the ability of the network layer to extract the watermark, wherein the smaller the BER value, the better the extraction effect. The test results are shown in Table 2:

Table 2 Watermark extraction capability display

It can be seen that the algorithm framework proposed by the present invention has advantages in concealment, robustness and speed for various screen capture attacks and non-screen capture attacks.

The above-mentioned embodiment is only a preferred solution of the present invention, but it is not intended to limit the present invention. Various changes and modifications can be made by those skilled in the relevant technical fields without departing from the spirit and scope of the present invention. Therefore, all technical solutions obtained by means of equivalent replacement or equivalent transformation fall within the protection scope of the present invention.

Claims (10)

1. A Hadamard transform anti-screen watermarking method based on deep learning, characterized in that, comprising: S1. Construct a watermark model framework composed of a watermark embedding module, an attack simulation module and a watermark extraction module; The watermark embedding module is formed by cascading the first Hadamard transformation layer, the first convolution module and the Hadamard inverse transformation layer, and its input is the watermark to be embedded and the original image to be embedded with the watermark; the original image of the single channel is pre-segmented It is a series of first image blocks of the same size, each first image block is input into the first Hadamard transformation layer and transformed from the spatial domain to the frequency domain by Hadamard transformation, and the two-dimensional transformation results of each first image block are spliced along the channel dimension Finally, the first transformed feature map is obtained, and then the watermark to be embedded is embedded in the first transformed feature map to obtain the second transformed feature map, and the second transformed feature map is input into the first convolution module for convolution operation, thereby obtaining the The third transformation feature map with the same number of channels in the first transformation feature map, the third transformation feature map is input into the Hadamard inverse transformation layer channel by channel, and the Hadamard inverse transformation is used to transform from the frequency domain back to the space domain, and the two-dimensional transformation results of each channel are re-pressed. The intermediate image with the same size as the original image is obtained by sequential splicing and restoration, and the intermediate image is superimposed on the original image and output as a single-channel watermarked image; A variety of attack operations including screen shot attacks are built into the attack simulation module, the input of which is the watermarked image, and each attack operation can attack the watermarked image and generate a single-channel victim The watermarked image after the attack; and the moiré attack in the screen shot attack is realized by the moiré attack network, the moiré attack network is trained by the U-Net network, the input is a watermarked image, and the output is after adding noise through the moiré attack The watermarked image; The watermark extraction module is formed by cascading the second Hadamard transformation layer and the second convolution module, and its input is the attacked watermarked image of a single channel; the attacked watermarked image is pre-segmented into a series of For the second image blocks of the same size, each second image block is input into the second Hadamard transformation layer and transformed from the spatial domain to the frequency domain through Hadamard transformation, and the two-dimensional transformation results of each second image block are spliced along the channel dimension to obtain the first Transform the feature map four times, and then input the fourth transformed feature map into the second convolution module to perform a convolution operation to obtain a watermark extraction result; S2. Use the training data to iteratively train the watermark model framework by minimizing the total loss function, and the watermark extraction module selects different attack operations in different training rounds to perform the watermarked image output by the watermark embedding module Attack, each round of training selects an attack operation, and all training rounds cover all attack operations; the total loss function is weighted by the biased reciprocal of the normalized cross-correlation loss and the structural similarity index loss; S3. After the training of the watermark model framework is completed, the watermark embedding module is used to embed the watermark, and the watermarked image with the watermark is output, and for the image requiring watermark extraction, directly input it into the watermark extraction module for watermark extraction. 2. the Hadamard transform anti-screen watermarking method based on deep learning as claimed in claim 1, is characterized in that, the expression of described total loss function is as follows:

Among them: L _w represents the normalized cross-correlation coefficient of the original embedded watermark and watermark extraction results, L _I represents the structural similarity index between the original image and the watermarked image, C ₃ and C ₄ are two weak points used to stabilize the denominator variable. 3. The Hadamard transform anti-screen watermarking method based on deep learning as claimed in claim 2, wherein said α and β are both decimal numbers greater than 0 and less than 1, and satisfy α+β=1. 4. The Hadamard transform anti-screen watermarking method based on deep learning according to claim 2, wherein the values of C ₃ and C ₄ are 10 ^-2 and 3×10 ^-2 respectively. 5. The Hadamard transform anti-screen watermarking method based on deep learning as claimed in claim 1, wherein the watermark to be embedded is embedded in the first transformation feature map by combining the watermark to be embedded with the first transformation feature The graph is concatenated along the channel dimension. 6. The Hadamard transform anti-screen watermarking method based on deep learning as claimed in claim 1, wherein the first convolution module and the second convolution module respectively comprise 5 layers of convolution layers. 7. The Hadamard transform anti-screen watermarking method based on deep learning as claimed in claim 1, wherein said screen capture attack includes multiple attack operations of perspective transformation, light distortion, JPEG distortion and moiré mode. 8. The Hadamard transform anti-screen watermarking method based on deep learning as claimed in claim 1, wherein the attack simulation module also includes non-screen attack, specifically including blurring, cropping, Gaussian noise, Mosaic noise, scaling, rotation, sharpening, watermarking, display distortion, brightness and contrast various attack operations. 9. the Hadamard transform anti-screen watermarking method based on deep learning as claimed in claim 1, wherein, in the training process of the moiré attack network, a series of watermarked image samples x _i and corresponding moiré attack The noise-added watermarked image y _i is used as an input sample, and the U-Net network is trained by minimizing the loss function L _m ; where the form of the loss function L _m is:

In the formula: m is the total number of samples used for training, and f( _xi ) is the prediction result output by the U-Net network for the input watermarked image sample _xi . 10. the Hadamard transform anti-screen watermarking method based on deep learning as claimed in claim 1, is characterized in that, in described S3, the image that needs to carry out watermark extraction is the watermarked image that watermark embedding module generates by screen shooting mode Leaked confidential photos.

Images