The abuse of original audios has attracted widespread attention in the society. Audio watermarking, which embeds imperceptible signals into audio content, has been proposed as an effective way to assert user copyright of audios. Although recent deep learning-based audio watermarking methods have enhanced robustness and capacity compared to traditional approaches, they are vulnerable to adversarial attacks. Our findings reveal that the message probabilities output by the watermark decoder follow a normal distribution for both clean and watermarked audio. This observation can be leveraged to detect existing audio watermark attacks. In this thesis, we introduce AWM, an adaptive audio watermark attack method designed to bypass existing detection strategies. The attack has three different types: watermark replacement, watermark creation, and watermark removal. AWM employs a two-step optimization process: the first step ensures the success of the watermark attack and bypasses the detection by optimizing message probabilities within an estimated normal range, while the second step focuses on enhancing audio quality while maintaining a successful attack. The proposed attack iteratively estimates the parameters of the normal distribution using a small set of feature-similar audio samples based on the target audio and applies adaptive optimization to adjust the decoded message probabilities toward the estimated normal range. We evaluate AWM on two watermarking methods across three diverse voice datasets and compare the results with existing audio watermark attack techniques. Our experiments demonstrate that the proposed attack achieves a high attack success rate while effectively bypassing detection, with detection success rates remaining under 10% for watermark replacement and watermark creation, and at 0% for watermark removal. Additionally, AWM exhibits high robustness against various no-box perturbations, including low-pass filtering, amplitude scaling, and compression, while maintaining high perceptual audio quality. Our experiments highlight a significant security gap in current watermark defenses and show that statistical assumptions about the decoder output can be exploited by attackers. These findings also provide a foundation for future research in audio watermark attack detection and the development of more advanced attacks.
Read
