This PDF file contains the front matter associated with SPIE Proceedings Volume 9028, including the Title Page, Copyright information, Table of Contents, Introduction (if any), and Conference Committee listing.

The design of both steganography and steganalysis methods for digital images heavily relies on empirically justified principles. In steganography, the domain in which the embedding changes are executed is usually the preferred domain in which to measure the statistical impact of embedding (to construct the distortion function). Another principle almost exclusively used in steganalysis states that the most accurate detection is obtained when extracting the steganalysis features from the embedding domain. While a substantial body of prior art seems to support these two doctrines, this article challenges both principles when applied to the JPEG format. Through a series of targeted experiments on numerous older as well as current steganographic algorithms, we lay out arguments for why measuring the embedding distortion in the spatial domain can be highly beneficial for JPEG steganography. Moreover, as modern embedding algorithms avoid introducing easily detectable artifacts in the statistics of quantized DCT coefficients, we demonstrate that more accurate detection is obtained when constructing the steganalysis features in the spatial domain where the distortion function is minimized, challenging thus both established doctrines.

This work proposes a natural language stegosystem for Twitter, modifying tweets as they are written to hide 4 bits of payload per tweet, which is a greater payload than previous systems have achieved. The system, CoverTweet, includes novel components, as well as some already developed in the literature. We believe that the task of transforming covers during embedding is equivalent to unilingual machine translation (paraphrasing), and we use this equivalence to de ne a distortion measure based on statistical machine translation methods. The system incorporates this measure of distortion to rank possible tweet paraphrases, using a hierarchical language model; we use human interaction as a second distortion measure to pick the best. The hierarchical language model is designed to model the speci c language of the covers, which in this setting is the language of the Twitter user who is embedding. This is a change from previous work, where general-purpose language models have been used. We evaluate our system by testing the output against human judges, and show that humans are unable to distinguish stego tweets from cover tweets any better than random guessing.

This paper is an attempt to analyze the interaction between Alice and Warden in Steganography using the Game Theory. We focus on the modern steganographic embedding paradigm based on minimizing an additive distortion function. The strategies of both players comprise of the probabilistic selection channel. The Warden is granted the knowledge of the payload and the embedding costs, and detects embedding using the likelihood ratio. In particular, the Warden is ignorant about the embedding probabilities chosen by Alice. When adopting a simple multivariate Gaussian model for the cover, the payoff function in the form of the Warden’s detection error can be numerically evaluated for a mutually independent embedding operation. We demonstrate on the example of a two-pixel cover that the Nash equilibrium is different from the traditional Alice’s strategy that minimizes the KL divergence between cover and stego objects under an omnipotent Warden. Practical implications of this case study include computing the loss per pixel of Warden’s ability to detect embedding due to her ignorance about the selection channel.

Recently, a new steganographic method was introduced that utilizes a universal distortion function called UNIWARD. The distortion between the cover and stego image is computed as a sum of relative changes of wavelet coefficients representing both images. As already pointed out in the original publication, the selection channel of the spatial version of UNIWARD (the version that hides messages in pixel values called S-UNIWARD) exhibits unusual properties – in highly textured and noisy regions the embedding probabilities form interleaved streaks of low and high embedding probability. While the authors of UNIWARD themselves hypothesized that such an artifact in the embedding probabilities may jeopardize its security, experiments with state-of-the-art rich models did not reveal any weaknesses. Using the fact that the cover embedding probabilities can be approximately estimated from the stego image, we introduce the novel concept of content-selective residuals and successfully attack S-UNIWARD. We also show that this attack, which is made possible by a faulty probabilistic selection channel, can be prevented by properly adjusting the stabilizing constant in the UNIWARD distortion function.

We revisit the well-known watermarking detection problem, also known as one-bit watermarking, in the presence of an oracle attack. In the absence of an adversary, the design of the detector generally relies on probabilistic formulations (e.g., Neyman-Pearson's lemma) or on ad-hoc solutions. When there is an adversary trying to minimize the probability of correct detection, game-theoretic approaches are possible. However, they usually assume that the attacker cannot learn the secret parameters used in detection. This is no longer the case when the adversary launches an oracle-based attack, which turns out to be extremely effective. In this paper, we discuss how the detector can learn whether it is being subject to such an attack, and take proper measures. We present two approaches based on different attacker models. The first model is very general and makes minimum assumptions on attacker's beaver. The second model is more specific since it assumes that the oracle attack follows a weel-defined path. In all cases, a few observations are sufficient to the watermark detector to understand whether an oracle attack is on going.

In this paper, we present a statistical framework for the analysis of the performance of Bag-of-Words (BOW) systems. The paper aims at establishing a better understanding of the impact of different elements of BOW systems such as the robustness of descriptors, accuracy of assignment, descriptor compression and pooling and finally decision making. We also study the impact of geometrical information on the BOW system performance and compare the results with different pooling strategies. The proposed framework can also be of interest for a security and privacy analysis of BOW systems. The experimental results on real images and descriptors confirm our theoretical findings. Notation: We use capital letters to denote scalar random variables X and X to denote vector random variables, corresponding small letters x and x to denote the realisations of scalar and vector random variables, respectively. We use X ~pX(x) or simply X ~p(x) to indicate that a random variable X is distributed according to pX(x). N(μ, σ ² _X ) stands for the Gaussian distribution with mean μ and variance σ² _X . B(L, P_b) denotes the binomial distribution with sequence length L and probability of success P_b. ║.║denotes the Euclidean vector norm and Q(.) stands for the Q-function. D(.║.) denotes the divergence and E{.} denotes the expectation.

In crime scene forensics latent fingerprints are found on various substrates. Nowadays primarily physical or chemical preprocessing techniques are applied for enhancing the visibility of the fingerprint trace. In order to avoid altering the trace it has been shown that contact-less sensors offer a non-destructive acquisition approach. Here, the exploitation of fingerprint or substrate properties and the utilization of signal processing techniques are an essential requirement to enhance the fingerprint visibility. However, especially the optimal sensory is often substrate-dependent. An enhanced generic pattern recognition based contrast enhancement approach for scans of a chromatic white light sensor is introduced in Hildebrandt et al.¹ using statistical, structural and Benford's law² features for blocks of 50 micron. This approach achieves very good results for latent fingerprints on cooperative, non-textured, smooth substrates. However, on textured and structured substrates the error rates are very high and the approach thus unsuitable for forensic use cases. We propose the extension of the feature set with semantic features derived from known Gabor filter based exemplar fingerprint enhancement techniques by suggesting an Epsilon-neighborhood of each block in order to achieve an improved accuracy (called fingerprint ridge orientation semantics). Furthermore, we use rotation invariant Hu moments as an extension of the structural features and two additional preprocessing methods (separate X- and Y Sobel operators). This results in a 408-dimensional feature space. In our experiments we investigate and report the recognition accuracy for eight substrates, each with ten latent fingerprints: white furniture surface, veneered plywood, brushed stainless steel, aluminum foil, "Golden-Oak" veneer, non-metallic matte car body finish, metallic car body finish and blued metal. In comparison to Hildebrandt et al.,¹ our evaluation shows a significant reduction of the error rates by 15.8 percent points on brushed stainless steel using the same classifier. This also allows for a successful biometric matching of 3 of the 8 latent fingerprint samples with the corresponding exemplar fingerprint on this particular substrate. For contrast enhancement analysis of classification results we suggest to use known Visual Quality Indexes (VQI)³ as a contrast enhancement quality indicator and discuss our first preliminary results using the exemplary chosen VQI Edge Similarity Score (ESS),⁴ showing a tendency that higher image differences between a substrate containing a fingerprint and a substrate with a blank surface correlate with a higher recognition accuracy between a latent fingerprint and an exemplar fingerprint. Those first preliminary results support further research into VQIs as contrast enhancement quality indicator for a given feature space.

Compressive Sensing (CS) has become one of the standard methods in face recognition due to the success of the family of Sparse Representation based Classification (SRC) algorithms. However it has been shown that in some cases, the locality of the dictionary codewords is more essential than the sparsity. Also sparse coding does not guarantee to be local which could lead to an unstable solution. We therefore consider the statistically optimal aspects of encoding that guarantee the best approximation of the query image to a dictionary that incorporates varying acquisition conditions. We focus on the investigation, analysis and experimental validation of the best robust classifier/predictor and consider frontal face image variability induced by noise, lighting, expression, pose, etc.. We compare two image representations using a pixel-wise approximation and an overcomplete block-wise approximation with two types of sparsity priors. In the first type we consider all samples from a single subject and in the second type we consider all samples from all subjects. The experiments on a publicly available dataset using low resolution images showed that several per subject sample sparsity prior approximations are as good as the results presented from SCR and that our simple overcomplete block-wise approximation provides superior performance in comparison to the SRC and WSRC algorithm.

Stereo video content calls for new watermarking strategies, e.g. to achieve robustness against virtual view synthesis. Prior works focused either on inserting the watermark in an invariant domain or on guaranteeing that the watermarks introduced in the left and right views are coherent with the disparity of the scene. However, the first approach raises fidelity issues while the second requires side information at detection i.e. the detector is not blind. In this paper, we propose a new blind detection procedure for disparity-coherent watermarks. In a nutshell, the detector relies on cross-correlation to aggregate the scattered pieces of the embedded reference watermark pattern rather than warping the reference pattern according to the parameters of the current view prior to detection. Reported experimental results indicate that this revisited detector successfully manages to retrieve embedded watermarks even after lossy compression.

In the field of collusion-resistant traitor tracing, Oosterwijk et al. recently determined the optimal suspicion function for simple decoders. Earlier, Moulin also considered another type of decoder: the generic joint decoder that compares all possible coalitions, and showed that usually the generic joint decoder outperforms the simple decoder. Both Amiri and Tardos, and Meerwald and Furon described constructions that assign suspicion levels to c-tuples, where c is the number of colluders. We investigate a novel idea: the tuple decoder, assigning a suspicion level to tuples of a fixed size. In contrast to earlier work, we use this in a novel accusation algorithm to decide for each distinct user whether or not to accuse him. We expect such a scheme to outperform simple decoders while not being as computationally intensive as the generic joint decoder. In this paper we generalize the optimal suspicion functions to tuples, and describe a family of accusation algorithms in this setting that accuses individual users using this tuple-based information.

The “Internet of Things” is an appealing concept aiming to assign digital identity to both physical and digital everyday objects. One way of achieving this goal is to embed the identity in the object itself by using digital watermarking. In the case of printed physical objects, such as consumer packages, this identity can be later read from a digital image of the watermarked object taken by a camera. In many cases, the object might occupy only a small portion of the the image and an attempt to read the watermark payload from the whole image can lead to unnecessary processing. This paper proposes a statistical learning-based algorithm for localizing watermarked physical objects taken by a digital camera. The algorithm is specifically designed and tested on watermarked consumer packages read by an off-the-shelf barcode imaging scanner. By employing simple noise-sensitive features borrowed from blind image steganalysis and a linear classifier, we are able to estimate probabilities of watermark presence in every part of the image significantly faster than running a watermark detector. These probabilities are used to pinpoint areas that are recommended for further processing. We compare our adaptive approach with a system designed to read watermarks from a set of fixed locations and achieve significant savings in processing time while improving overall detector robustness.

De-synchronizing operations such as insertion, deletion, and warping pose significant challenges for watermarking. Because these operations are not typical for classical communications, watermarking techniques such as spread spectrum can perform poorly. Conversely, specialized synchronization solutions can be challenging to analyze/ optimize. This paper addresses desynchronization for blind spread spectrum watermarks, detected without reference to any unmodified signal, using the robustness properties of short blocks. Synchronization relies on dynamic time warping to search over block alignments to find a sequence with maximum correlation to the watermark. This differs from synchronization schemes that must first locate invariant features of the original signal, or estimate and reverse desynchronization before detection. Without these extra synchronization steps, analysis for the proposed scheme builds on classical SS concepts and allows characterizes the relationship between the size of search space (number of detection alignment tests) and intrinsic robustness (continuous search space region covered by each individual detection test). The critical metrics that determine the search space, robustness, and performance are: time-frequency resolution of the watermarking transform, and blocklength resolution of the alignment. Simultaneous robustness to (a) MP3 compression, (b) insertion/deletion, and (c) time-scale modification is also demonstrated for a practical audio watermarking scheme developed in the proposed framework.

While intra frame drifting is a concern for all types of MPEG-4 AVC compressed-domain video processing applications, it has a particular negative impact in watermarking. In order to avoid the drift drawbacks, two classes of solutions are currently considered in the literature. They try either to compensate the drift distortions at the expense of complex decoding/estimation algorithms or to restrict the insertion to the blocks which are not involved in the prediction, thus reducing the data payload. The present study follows a different approach. First, it algebraically models the drift distortion spread problem by considering the analytic expressions of the MPEG-4 AVC encoding operations. Secondly, it solves the underlying algebraic system under drift-free constraints. Finally, the advanced solution is adapted to take into account the watermarking peculiarities. The experiments consider an m-QIM semi-fragile watermarking method and a video surveillance corpus of 80 minutes. For prescribed data payload (100 bit/s), robustness (BER < 0.1 against transcoding at 50% in stream size), fragility (frame modification detection with accuracies of 1/81 from the frame size and 3s) and complexity constraints, the modified insertion results in gains in transparency of 2 dB in PSNR, of 0.4 in AAD, of 0.002 in IF, of 0.03 in SC, of 0.017 NCC and 22 in DVQ.

Digital watermarking is a promising solution to video game piracy. In this paper, based on the analysis of special challenges and requirements in terms of watermarking textures in video games, a novel watermarking scheme for DDS textures in video games is proposed. To meet the performance requirements in video game applications, the proposed algorithm embeds the watermark message directly in the compressed stream in DDS files and can be straightforwardly applied in watermark container technique for real-time embedding. Furthermore, the embedding approach achieves high watermark payload to handle collusion secure fingerprinting codes with extreme length. Hence, the scheme is resistant to collusion attacks, which is indispensable in video game applications. The proposed scheme is evaluated in aspects of transparency, robustness, security and performance. Especially, in addition to classical objective evaluation, the visual quality and playing experience of watermarked games is assessed subjectively in game playing.

Payload location is an approach to find the message bits hidden in steganographic images, but not necessarily their logical order. Its success relies primarily on the accuracy of the underlying cover estimators and can be improved if more estimators are used. This paper presents an approach based on Markov random field to estimate the cover image given a stego image. It uses pairwise constraints to capture the natural two-dimensional statistics of cover images and forms a basis for more sophisticated models. Experimental results show that it is competitive against current state-of-the-art estimators and can locate payload embedded by simple LSB steganography and group-parity steganography. Furthermore, when combined with existing estimators, payload location accuracy improves significantly.

The model mismatch problem occurs in steganalysis when a binary classifier is trained on objects from one cover source and tested on another: an example of domain adaptation. It is highly realistic because a steganalyst would rarely have access to much or any training data from their opponent, and its consequences can be devastating to classifier accuracy. This paper presents an in-depth study of one particular instance of model mismatch, in a set of images from Flickr using one fixed steganography and steganalysis method, attempting to separate different effects of mismatch in feature space and find methods of mitigation where possible. We also propose new benchmarks for accuracy, which are more appropriate than mean error rates when there are multiple actors and multiple images, and consider the case of 3-valued detectors which also output `don't know'. This pilot study demonstrates that some simple feature-centering and ensemble methods can reduce the mismatch penalty considerably, but not completely remove it.

When a steganalysis detector trained on one cover source is applied to images from a different source, generally the detection error increases due to the mismatch between both sources. In steganography, this situation is recognized as the so-called cover source mismatch (CSM). The drop in detection accuracy depends on many factors, including the properties of both sources, the detector construction, the feature space used to represent the covers, and the steganographic algorithm. Although well recognized as the single most important factor negatively affecting the performance of steganalyzers in practice, the CSM received surprisingly little attention from researchers. One of the reasons for this is the diversity with which the CSM can manifest. On a series of experiments in the spatial and JPEG domains, we refute some of the common misconceptions that the severity of the CSM is tied to the feature dimensionality or their “fragility.” The CSM impact on detection appears too difficult to predict due to the effect of complex dependencies among the features. We also investigate ways to mitigate the negative effect of the CSM using simple measures, such as by enlarging the diversity of the training set (training on a mixture of sources) and by employing a bank of detectors trained on multiple different sources and testing on a detector trained on the closest source.

The Projected Spatial Rich Model (PSRM) generates powerful steganalysis features, but requires the calculation of tens of thousands of convolutions with image noise residuals. This makes it very slow: the reference implementation takes an impractical 20{30 minutes per 1 megapixel (Mpix) image. We present a case study which first tweaks the definition of the PSRM features, to make them more efficient, and then optimizes an implementation on GPU hardware which exploits their parallelism (whilst avoiding the worst of their sequentiality). Some nonstandard CUDA techniques are used. Even with only a single GPU, the time for feature calculation is reduced by three orders of magnitude, and the detection power is reduced only marginally.

This report describes a method for the creation and automatic content verification of low-cost self-verifiable paper documents. The image of an original document is decomposed to symbol templates and their corresponding locations. The resulting data is further compressed and encrypted, and encoded in custom designed high-capacity color barcodes. The original image and barcodes are printed on the same paper to form a self-verifiable authentic document. During content verification, the paper document is scanned to obtain the barcodes and target image. The original image is reconstructed from data extracted from the barcodes, which is then registered with and compared to the target image. The verification is carried out hierarchically from the entire image down to word and symbol levels. For symbol level comparison, multiple types of features and shape matching are utilized in a cascade. The proposed verification method is inexpensive, robust and fast. Evaluation on 216 character tables and 102 real documents achieved greater than 99% alteration detection rate and less than 1% false positives at the word/symbol level.

In this paper, we propose a method for estimation of camera lens distortion correction from a single image. Without relying on image EXIF, the method estimates the parameters of the correction by searching for a maximum energy of the so-called linear pattern introduced into the image during image acquisition prior to lens distortion correction. Potential applications of this technology include camera identification using sensor fingerprint, narrowing down the camera model, estimating the distance between the photographer and the subject, forgery detection, and improving the reliability of image steganalysis (detection of hidden data).

It has been proved that Sensor Pattern Noise (SPN) can serve as an imaging device fingerprint for source camera identification. Reference SPN estimation is a very important procedure within the framework of this application. Most previous works built reference SPN by averaging the SPNs extracted from 50 images of blue sky. However, this method can be problematic. Firstly, in practice we may face the problem of source camera identification in the absence of the imaging cameras and reference SPNs, which means only natural images with scene details are available for reference SPN estimation rather than blue sky images. It is challenging because the reference SPN can be severely contaminated by image content. Secondly, the number of available reference images sometimes is too few for existing methods to estimate a reliable reference SPN. In fact, existing methods lack consideration of the number of available reference images as they were designed for the datasets with abundant images to estimate the reference SPN. In order to deal with the aforementioned problem, in this work, a novel reference estimator is proposed. Experimental results show that our proposed method achieves better performance than the methods based on the averaged reference SPN, especially when few reference images used.

In this work, we address the problem of content identification. We consider content identification as a special case of multiclass classification. The conventional approach towards identification is based on content fingerprinting where a short binary content description known as a fingerprint is extracted from the content. We propose an alternative solution based on elements of machine learning theory and digital communications. Similar to binary content fingerprinting, binary content representation is generated based on a set of trained binary classifiers. We consider several training/encoding strategies and demonstrate that the proposed system can achieve the upper theoretical performance limits of content identification. The experimental results were carried out both on a synthetic dataset with different parameters and the FAMOS dataset of microstructures from consumer packages.

Speaker recognition is used to identify a speaker's voice from among a group of known speakers. A common method of speaker recognition is a classification based on cepstral coefficients of the speaker's voice, using a Gaussian mixture model (GMM) to model each speaker. In this paper we try to fool a speaker recognition system using additive noise such that an intruder is recognized as a target user. Our attack uses a mixture selected from a target user's GMM model, inverting the cepstral transformation to produce noise samples. In our 5 speaker data base, we achieve an attack success rate of 50% with a noise signal at 10dB SNR, and 95% by increasing noise power to 0dB SNR. The importance of this attack is its simplicity and flexibility: it can be employed in real time with no processing of an attacker's voice, and little computation is needed at the moment of detection, allowing the attack to be performed by a small portable device. For any target user, knowing that user's model or voice sample is sufficient to compute the attack signal, and it is enough that the intruder plays it while he/she is uttering to be classiffed as the victim.

3D models and applications are of utmost interest in both science and industry. With the increment of their usage, their number and thereby the challenge to correctly identify them increases. Content identification is commonly done by cryptographic hashes. However, they fail as a solution in application scenarios such as computer aided design (CAD), scientific visualization or video games, because even the smallest alteration of the 3D model, e.g. conversion or compression operations, massively changes the cryptographic hash as well. Therefore, this work presents a robust hashing algorithm for 3D mesh data. The algorithm applies several different bit extraction methods. They are built to resist desired alterations of the model as well as malicious attacks intending to prevent correct allocation. The different bit extraction methods are tested against each other and, as far as possible, the hashing algorithm is compared to the state of the art. The parameters tested are robustness, security and runtime performance as well as False Acceptance Rate (FAR) and False Rejection Rate (FRR), also the probability calculation of hash collision is included. The introduced hashing algorithm is kept adaptive e.g. in hash length, to serve as a proper tool for all applications in practice.

In this paper, we address the problem of fast and secure packaging identification on mobile phones. It is a well known fact that consumer goods are counterfeited on a massive scale in certain regions of the world, illustrating how existing counter measures fall short or don't exist at all, as can be seen in the local absence of laws pertaining to brand protection. This paper introduces a technological tool that allows the consumer to quickly identify a product or package with a mobile device using a physical non-cloneable features in the form of a surface micro- structure image. This natural occurring identifier allows a producer or brand owner to track and trace all its products and gives the consumer a powerful tool to confirm the authenticity of an offered product.

In this paper we are concerned by authentication of printer technologies from microscopic analysis of paper print. At this scale, a print is made of regularly spaced dots whose shape varies from a print to another and also inside the same document. Thus, dot at the microscopic scale can be considered as an intrinsic signature of printer technologies. Modeling and estimating such a signature for the authentication of printer technologies are really challenging. In this paper, we propose an original modeling of the micrometric scan of document printing. It consists in an extension of the binary response model which takes into account the dot shape. The digital image of a dot is therefore modeled as a set of random pixels distributed following to the so called inverse link function which depends on the center, tone of black, its spreading and its shape. A maximum likelihood estimation algorithm is provided in order to estimate the location, the darkness, the scale and shape parameter of the dot. From experimental results on three different printer technologies (inkjet, laser and offset), we show that the shape parameter is relevant for designing an identification scheme of printer technologies.

Locksmith forensics is an important area in crime scene forensics. Due to new optical, contactless, nanometer range sensing technology, such traces can be captured, digitized and analyzed more easily allowing a complete digital forensic investigation. In this paper we present a significantly improved approach for the detection and segmentation of toolmarks on surfaces of locking cylinder components (using the example of the locking cylinder component ’key pin’) acquired by a 3D Confocal Laser Scanning Microscope. This improved approach is based on our prior work1 using a block-based classification approach with textural features. In this prior work1 we achieve a solid detection rate of 75-85% for the detection of toolmarks originating from illegal opening methods. Here, in this paper we improve, expand and fuse this prior approach with additional features from acquired surface topography data, color data and an image processing approach using adapted Gabor filters. In particular we are able of raising the detection and segmentation rates above 90% with our test set of 20 key pins with approximately 700 single toolmark traces of four different opening methods. We can provide a precise pixel- based segmentation as opposed to the rather imprecise segmentation of our prior block-based approach and as the use of the two additional data types (color and especially topography) require a specific pre-processing, we furthermore propose an adequate approach for this purpose.

Contrast enhancements, such as histogram equalization or gamma correction, are widely used by malicious attackers to conceal the cut-and-paste trails in doctored images. Therefore, detecting the traces left by contrast enhancements can be an effective way of exposing cut-and-paste image forgery. In this work, two improved forensic methods of detecting contrast enhancement in digital images are put forward. More specifically, the first method uses a quadratic weighting function rather than a simple cut-off frequency to measure the histogram distortion introduced by contrast enhancements, meanwhile the averaged high-frequency energy measure of his- togram is replaced by the ratio taken up by the high-frequency components in the histogram spectrum. While the second improvement is achieved by applying a linear-threshold strategy to get around the sensitivity of threshold selection. Compared with their original counterparts, these two methods both achieve better performance in terms of ROC curves and real-world cut-and-paste image forgeries. The effectiveness and improvement of the two proposed algorithms are experimentally validated on natural color images captured by commercial camera.

Counterfeiting digital images through a copy-move forgery is one of the most common ways of manipulating the semantic content of a picture, whereby a portion of the image is copy-pasted elsewhere into the same image. It could happen, however, instead of a digital image only its analog version may be available. Scanned or recaptured (by a digital camera) printed documents are widely used in a number of different scenarios, for example a photo published on a newspaper or a magazine. In this paper, the problem of detecting and localizing copy-move forgeries from a printed picture is focused. The copy-move manipulation is detected by verifying the presence of duplicated patches in the scanned image by using a SIFT-based method, tailored for printed image case. Printing and scanning/recapturing scenario is quite challenging because it involves different kinds of distortions. The goal is to experimentally investigate the requirement set under which reliable copy-move forgery detection is possible. We carry out a series of experiments, to pursue all the different issues involved in this application scenario by considering diverse kinds of print and re-acquisition circumstances. Experimental results point out that forgery detection is still successful though with reduced performances, as expected.

In the last years many image forensic (IF) algorithms have been proposed to reveal traces of processing or tampering. On the other hand, Anti-Forensic (AF) tools have also been developed to help the forger in removing editing footprints. Inspired by the fact that it is much harder to commit a perfect crime when the forensic analyst uses a multi-clue investigation strategy, we analyse the possibility o ered by the adoption of a data fusion framework in a Counter-Anti-Forensic (CAF) scenario. We do so by adopting a theoretical framework, based on Dempster-Shafer Theory of Evidence, to synergically merge information provided by IF tools and CAF tools, whose goal is to reveal traces introduced by anti-forensic algorithms. The proposed system accounts for the non-trivial relationships between IF and CAF techniques; for example, in some cases the outputs from the former are expected to contradict the output from the latter. We evaluate the proposed method within a representative forensic task, that is splicing detection in JPEG images, with the forger trying to conceal traces using two di erent counter-forensic methods. Results show that decision fusion strongly limits the e ectiveness of AF methods.

Starting from the concept that many image forensic tools are based on the detection of some features revealing a particular aspect of the history of an image, in this work we model the counter-forensic attack as the injection of a specific fake feature pointing to the same history of an authentic reference image. We propose a general attack strategy that does not rely on a specific detector structure. Given a source image x and a target image y, the adversary processes x in the pixel domain producing an attacked image ~x, perceptually similar to x, whose feature f(~x) is as close as possible to f(y) computed on y. Our proposed counter-forensic attack consists in the constrained minimization of the feature distance Φ(z) =│ f(z) - f(y)│ through iterative methods based on gradient descent. To solve the intrinsic limit due to the numerical estimation of the gradient on large images, we propose the application of a feature decomposition process, that allows the problem to be reduced into many subproblems on the blocks the image is partitioned into. The proposed strategy has been tested by attacking three different features and its performance has been compared to state-of-the-art counter-forensic methods.