Forensic Security• Plenty of Image Forensics methods• An attacker can try to invalidate such methods• Anti-forensics activities rely on several weaknesses in the forensic process Forensic Security• Study the possible attacks and find some countermeasures
Source IdentificationPhoto Response Non-Uniformity Noise (PRNU) • Inhomogeneity over the silicon wafer and imperfections generated during sensor manufacturing process. • Multiplicative noise, independent from temperature and time. • Unique for each sensor. • PRNU is a deterministic fingerprint of each camera. • Matching between a digital camera and an image is established through a correlation detector.
Source Identification Attack• Fingerprint-copy attack presented in Fridrich et al.*Attack scenario• Alice, the victim has posted her images acquired with her camera C on the Internet (e.g. Facebook, her web site etc.).• Eve, the attacker, gets N of these photos and estimates the fingerprint K^ of Alice’s camera C.• Eve superimposes K^ onto another image J taken from a different camera C’ with the aim to frame Alice as being the author of such fake image J’.* Miroslav Goljan, Jessica Fridrich, and Mo Chen, “Sensor noise camera identification: Countering counter-forensics,” in SPIE Conference on Media Forensics and Security, 2010.
Source Identification Attack Samsung S860 J J’ FO C’ Noise RG suppression ED Nikon L19 + C PRNU extraction Samsung S860attacker N images taken from Fingerprint insertion N images taken from Alice’s camera Alice’s camera • multiplicative model
Defence scenarioGoals• Is the image J’ forged?• Which images from Alice’s dataset were stolen by Eve?Alice’s defence• Alice can utilize her camera C.• Dataset composed by S>=N – N images stolen by Eve – plus others images belonging to her camera C.• Triangle Test procedure.
Defence scenario J’ Noise extraction Used by Eve PRNU Triangle extraction Test Not used by Eve Noise extractionvictim Alice estimates her camera’s fingerprint by using innocent flat images. • better fingerprint estimation
Triangle Test• Alice computes some correlations to perform the triangle test using as input:
Triangle TestBasic idea• A residual of the content of each image I, used by Eve to estimate Alice’s fingerprint, has been transferred within the fake image J’.• The correlation will be greater than it would be when the image I is not utilized by Eve.• For images I not used by Eve (innocent images) the dependence between and is well fit with a straight line.• The deviation from this linear trend will indicate that such photos have been stolen by Eve.
Issues attack triangle test• What is available to the attacker? – Triangle test procedure• Which actions Eve, the attacker, can carry out to frame Alice?• How triangle test performances are reduced?
What an attacker can do? 1. Typology and number of the stolen images 2. Fingerprint insertion 3. Refined fingerprint estimation •• Textured images Textured images •• Multiplicative Multiplicative • Flat images • Flat images • Additive • Additive •• Different denoising filter Different denoising filter • Denoising with Enhancer function* • Denoising with Enhancer function** R.Caldelli, I.Amerini, F.Picchioni , M.Innocenti,” Fast Image Clustering of Unknow Source Images”, Workshop onInformation Forensics & Security (WIFS 2010), December 12-15, 2010, pp. 1-5.
Enhancer function• PRNU is improved by applying an enhancer function – wavelet domain – filter out scene details extracted noise noise
Results Basic triangle test Triangle test is effective and able to separate the two clusters of images.• Alice’s dataset S is totally• Alice’s dataset S is totallycomposed by Nc = 70 photoscomposed by Nc = 70 photos • 20 stolen by Eve (the • 20 stolen by Eve (the green circle) green circle) • 50 “innocent” images • 50 “innocent” images (the red rhombus) (the red rhombus)• Eve’s attack• Eve’s attack ‘ • Multiplicative model • Multiplicative model • Textured images • Textured images ’
Results Additive model for fingerprint insertion Separation between two groups is slightly augmented.• Alice’s dataset S is totally• Alice’s dataset S is totallycomposed by Nc = 70 photoscomposed by Nc = 70 photos • 20 stolen by Eve (the • 20 stolen by Eve (the green circle) green circle) • 50 “innocent” images • 50 “innocent” images ‘ (the red rhombus) (the red rhombus)•Eve’s attack•Eve’s attack • Additive model • Additive model • Textured images • Textured images ’
Results Flat stolen images The cluster separation is still significant and the triangle test does not appear to lose its effectiveness. Not only is higher but also caused by the higher values assumed by the term which contributes to .• Alice’s dataset S is totally• Alice’s dataset S is totallycomposed by Nc = 70 photoscomposed by Nc = 70 photos • 20 stolen by Eve (the • 20 stolen by Eve (the green circle) green circle) • 50 “innocent” images • 50 “innocent” images ‘ (the red rhombus) (the red rhombus)•Eve’s attack•Eve’s attack • Multiplicative model • Multiplicative model • Flat images • Flat images ’
Results The attacker uses the enhancer function The separation is drastically reduced and the two clusters are adjoining. The enhancer action succeeds in strongly reducing the residual of image content in the fingerprint that is the component the Triangle Test looks for.• Alice’s dataset S is totally• Alice’s dataset S is totallycomposed by Nc = 70 photoscomposed by Nc = 70 photos • 20 stolen by Eve • 20 stolen by Eve (the green circle) (the green circle) • 50 “innocent” • 50 “innocent” ‘ images (the red images (the red rhombus) rhombus)•Eve’s attack•Eve’s attack • Multiplicative • Multiplicative model model • Textured images • Textured images • Enhancer function • Enhancer function ’’
ResultsIncreasing number of the images stolen by Eve: from 20 images to 50 images. enhancer and 20 images no enhancer and 50 images‘ ’ enhancer and 50 images
ResultsCorrect detection probability vs different attack procedures. • 6 tampered images by Eve • In brackets the number of images stolen by Eve to perform the attack. Attack procedure Correct detection prob. (%) Basic (20 images) 100 Additive (20) 100 Flat (20) 100 Enhancer (20) 61.7 Basic (50) 83.7 Enhancer (50) 30The use of the enhancer with only 20 images can grant better results in termof miss detection respect to resort at 50 photos.
Conclusion Forensic Security Source identification attack Analysis on attacker actions Experimental results Future works: Eve could estimate Alice’s fingerprint by resorting at profitable patches of each stolen images and then recompose the fingerprint.
An analysis on attacker actions in fingerprint-copy attack on source camera identification Roberto Caldelli, Irene Amerini, Andrea NoviWIFS11 Foz do Iguaçu, 30 November 2011 firstname.lastname@example.org