Your search keyword '"Furon, Teddy"' showing total 40 results

1. Evaluation of Security of ML-based Watermarking: Copy and Removal Attacks

Author

Kinakh, Vitaliy, Pulfer, Brian, Belousov, Yury, Fernandez, Pierre, Furon, Teddy, and Voloshynovskiy, Slava

Subjects

Computer Science - Computer Vision and Pattern Recognition

Abstract

The vast amounts of digital content captured from the real world or AI-generated media necessitate methods for copyright protection, traceability, or data provenance verification. Digital watermarking serves as a crucial approach to address these challenges. Its evolution spans three generations: handcrafted, autoencoder-based, and foundation model based methods. While the robustness of these systems is well-documented, the security against adversarial attacks remains underexplored. This paper evaluates the security of foundation models' latent space digital watermarking systems that utilize adversarial embedding techniques. A series of experiments investigate the security dimensions under copy and removal attacks, providing empirical insights into these systems' vulnerabilities. All experimental codes and results are available at https://github.com/vkinakh/ssl-watermarking-attacks .

Published

2024

2. SWIFT: Semantic Watermarking for Image Forgery Thwarting

Author

Evennou, Gautier, Chappelier, Vivien, Kijak, Ewa, and Furon, Teddy

Subjects

Computer Science - Cryptography and Security, Computer Science - Artificial Intelligence, Computer Science - Computer Vision and Pattern Recognition, Computer Science - Multimedia

Abstract

This paper proposes a novel approach towards image authentication and tampering detection by using watermarking as a communication channel for semantic information. We modify the HiDDeN deep-learning watermarking architecture to embed and extract high-dimensional real vectors representing image captions. Our method improves significantly robustness on both malign and benign edits. We also introduce a local confidence metric correlated with Message Recovery Rate, enhancing the method's practical applicability. This approach bridges the gap between traditional watermarking and passive forensic methods, offering a robust solution for image integrity verification., Comment: Code will be released

Published

2024

3. WaterMax: breaking the LLM watermark detectability-robustness-quality trade-off

Author

Giboulot, Eva and Furon, Teddy

Subjects

Computer Science - Cryptography and Security, Computer Science - Computation and Language, Computer Science - Machine Learning

Abstract

Watermarking is a technical means to dissuade malfeasant usage of Large Language Models. This paper proposes a novel watermarking scheme, so-called WaterMax, that enjoys high detectability while sustaining the quality of the generated text of the original LLM. Its new design leaves the LLM untouched (no modification of the weights, logits, temperature, or sampling technique). WaterMax balances robustness and complexity contrary to the watermarking techniques of the literature inherently provoking a trade-off between quality and robustness. Its performance is both theoretically proven and experimentally validated. It outperforms all the SotA techniques under the most complete benchmark suite. Code available at https://github.com/eva-giboulot/WaterMax.

Published

2024

4. Watermarking Makes Language Models Radioactive

Author

Sander, Tom, Fernandez, Pierre, Durmus, Alain, Douze, Matthijs, and Furon, Teddy

Subjects

Computer Science - Cryptography and Security, Computer Science - Artificial Intelligence, Computer Science - Computation and Language, Computer Science - Machine Learning

Abstract

We investigate the radioactivity of text generated by large language models (LLM), i.e. whether it is possible to detect that such synthetic input was used to train a subsequent LLM. Current methods like membership inference or active IP protection either work only in settings where the suspected text is known or do not provide reliable statistical guarantees. We discover that, on the contrary, it is possible to reliably determine if a language model was trained on synthetic data if that data is output by a watermarked LLM. Our new methods, specialized for radioactivity, detects with a provable confidence weak residuals of the watermark signal in the fine-tuned LLM. We link the radioactivity contamination level to the following properties: the watermark robustness, its proportion in the training set, and the fine-tuning process. For instance, if the suspect model is open-weight, we demonstrate that training on watermarked instructions can be detected with high confidence ($p$-value $< 10^{-5}$) even when as little as $5\%$ of training text is watermarked., Comment: Published at NeurIPS 2024 (Spotlight). Code at https://github.com/facebookresearch/radioactive-watermark - webpage at https://pierrefdz.github.io/publications/radioactive/

Published

2024

5. Proactive Detection of Voice Cloning with Localized Watermarking

Author

Roman, Robin San, Fernandez, Pierre, Défossez, Alexandre, Furon, Teddy, Tran, Tuan, and Elsahar, Hady

Subjects

Computer Science - Sound, Computer Science - Artificial Intelligence, Computer Science - Cryptography and Security

Abstract

In the rapidly evolving field of speech generative models, there is a pressing need to ensure audio authenticity against the risks of voice cloning. We present AudioSeal, the first audio watermarking technique designed specifically for localized detection of AI-generated speech. AudioSeal employs a generator/detector architecture trained jointly with a localization loss to enable localized watermark detection up to the sample level, and a novel perceptual loss inspired by auditory masking, that enables AudioSeal to achieve better imperceptibility. AudioSeal achieves state-of-the-art performance in terms of robustness to real life audio manipulations and imperceptibility based on automatic and human evaluation metrics. Additionally, AudioSeal is designed with a fast, single-pass detector, that significantly surpasses existing models in speed - achieving detection up to two orders of magnitude faster, making it ideal for large-scale and real-time applications., Comment: Published at ICML 2024. Code at https://github.com/facebookresearch/audioseal - webpage at https://pierrefdz.github.io/publications/audioseal/

Published

2024

6. Three Bricks to Consolidate Watermarks for Large Language Models

Author

Fernandez, Pierre, Chaffin, Antoine, Tit, Karim, Chappelier, Vivien, and Furon, Teddy

Subjects

Computer Science - Computation and Language, Computer Science - Artificial Intelligence

Abstract

The task of discerning between generated and natural texts is increasingly challenging. In this context, watermarking emerges as a promising technique for ascribing generated text to a specific model. It alters the sampling generation process so as to leave an invisible trace in the generated output, facilitating later detection. This research consolidates watermarks for large language models based on three theoretical and empirical considerations. First, we introduce new statistical tests that offer robust theoretical guarantees which remain valid even at low false-positive rates (less than 10$^{\text{-6}}$). Second, we compare the effectiveness of watermarks using classical benchmarks in the field of natural language processing, gaining insights into their real-world applicability. Third, we develop advanced detection schemes for scenarios where access to the LLM is available, as well as multi-bit watermarking., Comment: Published at WIFS 2023. Code at https://github.com/facebookresearch/three_bricks - webpage at https://pierrefdz.github.io/publications/threebricks/

Published

2023

7. How to choose your best allies for a transferable attack?

Author

Maho, Thibault, Moosavi-Dezfooli, Seyed-Mohsen, and Furon, Teddy

Subjects

Computer Science - Cryptography and Security, Computer Science - Artificial Intelligence

Abstract

The transferability of adversarial examples is a key issue in the security of deep neural networks. The possibility of an adversarial example crafted for a source model fooling another targeted model makes the threat of adversarial attacks more realistic. Measuring transferability is a crucial problem, but the Attack Success Rate alone does not provide a sound evaluation. This paper proposes a new methodology for evaluating transferability by putting distortion in a central position. This new tool shows that transferable attacks may perform far worse than a black box attack if the attacker randomly picks the source model. To address this issue, we propose a new selection mechanism, called FiT, which aims at choosing the best source model with only a few preliminary queries to the target. Our experimental results show that FiT is highly effective at selecting the best source model for multiple scenarios such as single-model attacks, ensemble-model attacks and multiple attacks (Code available at: https://github.com/t-maho/transferability_measure_fit)., Comment: ICCV 2023

Published

2023

8. The Stable Signature: Rooting Watermarks in Latent Diffusion Models

Author

Fernandez, Pierre, Couairon, Guillaume, Jégou, Hervé, Douze, Matthijs, and Furon, Teddy

Subjects

Computer Science - Computer Vision and Pattern Recognition, Computer Science - Artificial Intelligence

Abstract

Generative image modeling enables a wide range of applications but raises ethical concerns about responsible deployment. This paper introduces an active strategy combining image watermarking and Latent Diffusion Models. The goal is for all generated images to conceal an invisible watermark allowing for future detection and/or identification. The method quickly fine-tunes the latent decoder of the image generator, conditioned on a binary signature. A pre-trained watermark extractor recovers the hidden signature from any generated image and a statistical test then determines whether it comes from the generative model. We evaluate the invisibility and robustness of the watermarks on a variety of generation tasks, showing that Stable Signature works even after the images are modified. For instance, it detects the origin of an image generated from a text prompt, then cropped to keep $10\%$ of the content, with $90$+$\%$ accuracy at a false positive rate below 10$^{-6}$., Comment: Published at ICCV 2023. Code at https://github.com/facebookresearch/stable_signature - webpage at https://pierrefdz.github.io/publications/stablesignature

Published

2023

9. Mixer: DNN Watermarking using Image Mixup

Author

Kallas, Kassem and Furon, Teddy

Subjects

Computer Science - Cryptography and Security, Computer Science - Machine Learning, Computer Science - Multimedia

Abstract

It is crucial to protect the intellectual property rights of DNN models prior to their deployment. The DNN should perform two main tasks: its primary task and watermarking task. This paper proposes a lightweight, reliable, and secure DNN watermarking that attempts to establish strong ties between these two tasks. The samples triggering the watermarking task are generated using image Mixup either from training or testing samples. This means that there is an infinity of triggers not limited to the samples used to embed the watermark in the model at training. The extensive experiments on image classification models for different datasets as well as exposing them to a variety of attacks, show that the proposed watermarking provides protection with an adequate level of security and robustness., Comment: arXiv admin note: text overlap with arXiv:2206.11024

Published

2022

10. Active Image Indexing

Author

Fernandez, Pierre, Douze, Matthijs, Jégou, Hervé, and Furon, Teddy

Subjects

Computer Science - Information Retrieval, Computer Science - Artificial Intelligence, Computer Science - Computer Vision and Pattern Recognition, Computer Science - Machine Learning

Abstract

Image copy detection and retrieval from large databases leverage two components. First, a neural network maps an image to a vector representation, that is relatively robust to various transformations of the image. Second, an efficient but approximate similarity search algorithm trades scalability (size and speed) against quality of the search, thereby introducing a source of error. This paper improves the robustness of image copy detection with active indexing, that optimizes the interplay of these two components. We reduce the quantization loss of a given image representation by making imperceptible changes to the image before its release. The loss is back-propagated through the deep neural network back to the image, under perceptual constraints. These modifications make the image more retrievable. Our experiments show that the retrieval and copy detection of activated images is significantly improved. For instance, activation improves by $+40\%$ the Recall1@1 on various image transformations, and for several popular indexing structures based on product quantization and locality sensitivity hashing.

Published

2022

11. FBI: Fingerprinting models with Benign Inputs

Author

Maho, Thibault, Furon, Teddy, and Merrer, Erwan Le

Subjects

Computer Science - Cryptography and Security, Computer Science - Machine Learning

Abstract

Recent advances in the fingerprinting of deep neural networks detect instances of models, placed in a black-box interaction scheme. Inputs used by the fingerprinting protocols are specifically crafted for each precise model to be checked for. While efficient in such a scenario, this nevertheless results in a lack of guarantee after a mere modification (like retraining, quantization) of a model. This paper tackles the challenges to propose i) fingerprinting schemes that are resilient to significant modifications of the models, by generalizing to the notion of model families and their variants, ii) an extension of the fingerprinting task encompassing scenarios where one wants to fingerprint not only a precise model (previously referred to as a detection task) but also to identify which model family is in the black-box (identification task). We achieve both goals by demonstrating that benign inputs, that are unmodified images, for instance, are sufficient material for both tasks. We leverage an information-theoretic scheme for the identification task. We devise a greedy discrimination algorithm for the detection task. Both approaches are experimentally validated over an unprecedented set of more than 1,000 networks.

Published

2022

12. ROSE: A RObust and SEcure DNN Watermarking

Author

Kallas, Kassem and Furon, Teddy

Subjects

Computer Science - Cryptography and Security, Computer Science - Artificial Intelligence, Computer Science - Machine Learning

Abstract

Protecting the Intellectual Property rights of DNN models is of primary importance prior to their deployment. So far, the proposed methods either necessitate changes to internal model parameters or the machine learning pipeline, or they fail to meet both the security and robustness requirements. This paper proposes a lightweight, robust, and secure black-box DNN watermarking protocol that takes advantage of cryptographic one-way functions as well as the injection of in-task key image-label pairs during the training process. These pairs are later used to prove DNN model ownership during testing. The main feature is that the value of the proof and its security are measurable. The extensive experiments watermarking image classification models for various datasets as well as exposing them to a variety of attacks, show that it provides protection while maintaining an adequate level of security and robustness.

Published

2022

13. AggNet: Learning to Aggregate Faces for Group Membership Verification

Author

Gheisari, Marzieh, Amirian, Javad, Furon, Teddy, and Amsaleg, Laurent

Subjects

Computer Science - Computer Vision and Pattern Recognition

Abstract

In some face recognition applications, we are interested to verify whether an individual is a member of a group, without revealing their identity. Some existing methods, propose a mechanism for quantizing precomputed face descriptors into discrete embeddings and aggregating them into one group representation. However, this mechanism is only optimized for a given closed set of individuals and needs to learn the group representations from scratch every time the groups are changed. In this paper, we propose a deep architecture that jointly learns face descriptors and the aggregation mechanism for better end-to-end performances. The system can be applied to new groups with individuals never seen before and the scheme easily manages new memberships or membership endings. We show through experiments on multiple large-scale wild-face datasets, that the proposed method leads to higher verification performance compared to other baselines.

Published

2022

14. Randomized Smoothing under Attack: How Good is it in Pratice?

Author

Maho, Thibault, Furon, Teddy, and Merrer, Erwan Le

Subjects

Computer Science - Cryptography and Security, Computer Science - Artificial Intelligence, Computer Science - Machine Learning

Abstract

Randomized smoothing is a recent and celebrated solution to certify the robustness of any classifier. While it indeed provides a theoretical robustness against adversarial attacks, the dimensionality of current classifiers necessarily imposes Monte Carlo approaches for its application in practice. This paper questions the effectiveness of randomized smoothing as a defense, against state of the art black-box attacks. This is a novel perspective, as previous research works considered the certification as an unquestionable guarantee. We first formally highlight the mismatch between a theoretical certification and the practice of attacks on classifiers. We then perform attacks on randomized smoothing as a defense. Our main observation is that there is a major mismatch in the settings of the RS for obtaining high certified robustness or when defeating black box attacks while preserving the classifier accuracy., Comment: ICASSP 2022

Published

2022

15. Watermarking Images in Self-Supervised Latent Spaces

Author

Fernandez, Pierre, Sablayrolles, Alexandre, Furon, Teddy, Jégou, Hervé, and Douze, Matthijs

Subjects

Computer Science - Computer Vision and Pattern Recognition, Computer Science - Machine Learning

Abstract

We revisit watermarking techniques based on pre-trained deep networks, in the light of self-supervised approaches. We present a way to embed both marks and binary messages into their latent spaces, leveraging data augmentation at marking time. Our method can operate at any resolution and creates watermarks robust to a broad range of transformations (rotations, crops, JPEG, contrast, etc). It significantly outperforms the previous zero-bit methods, and its performance on multi-bit watermarking is on par with state-of-the-art encoder-decoder architectures trained end-to-end for watermarking. The code is available at github.com/facebookresearch/ssl_watermarking

Published

2021

16. RoBIC: A benchmark suite for assessing classifiers robustness

Author

Maho, Thibault, Bonnet, Benoît, Furon, Teddy, and Merrer, Erwan Le

Subjects

Computer Science - Computer Vision and Pattern Recognition, Computer Science - Cryptography and Security, Computer Science - Machine Learning

Abstract

Many defenses have emerged with the development of adversarial attacks. Models must be objectively evaluated accordingly. This paper systematically tackles this concern by proposing a new parameter-free benchmark we coin RoBIC. RoBIC fairly evaluates the robustness of image classifiers using a new half-distortion measure. It gauges the robustness of the network against white and black box attacks, independently of its accuracy. RoBIC is faster than the other available benchmarks. We present the significant differences in the robustness of 16 recent models as assessed by RoBIC., Comment: 4 pages, accepted to ICIP 2021

Published

2021

17. SurFree: a fast surrogate-free black-box attack

Author

Maho, Thibault, Furon, Teddy, and Merrer, Erwan Le

Subjects

Computer Science - Cryptography and Security, Computer Science - Artificial Intelligence, Computer Science - Computer Vision and Pattern Recognition, Computer Science - Machine Learning

Abstract

Machine learning classifiers are critically prone to evasion attacks. Adversarial examples are slightly modified inputs that are then misclassified, while remaining perceptively close to their originals. Last couple of years have witnessed a striking decrease in the amount of queries a black box attack submits to the target classifier, in order to forge adversarials. This particularly concerns the black-box score-based setup, where the attacker has access to top predicted probabilites: the amount of queries went from to millions of to less than a thousand. This paper presents SurFree, a geometrical approach that achieves a similar drastic reduction in the amount of queries in the hardest setup: black box decision-based attacks (only the top-1 label is available). We first highlight that the most recent attacks in that setup, HSJA, QEBA and GeoDA all perform costly gradient surrogate estimations. SurFree proposes to bypass these, by instead focusing on careful trials along diverse directions, guided by precise indications of geometrical properties of the classifier decision boundaries. We motivate this geometric approach before performing a head-to-head comparison with previous attacks with the amount of queries as a first class citizen. We exhibit a faster distortion decay under low query amounts (few hundreds to a thousand), while remaining competitive at higher query budgets., Comment: 8 pages

Published

2020

18. Adversarial Images through Stega Glasses

Author

Bonnet, Benoît, Furon, Teddy, and Bas, Patrick

Subjects

Computer Science - Cryptography and Security, Electrical Engineering and Systems Science - Image and Video Processing, Electrical Engineering and Systems Science - Signal Processing

Abstract

This paper explores the connection between steganography and adversarial images. On the one hand, ste-ganalysis helps in detecting adversarial perturbations. On the other hand, steganography helps in forging adversarial perturbations that are not only invisible to the human eye but also statistically undetectable. This work explains how to use these information hiding tools for attacking or defending computer vision image classification. We play this cat and mouse game with state-of-art classifiers, steganalyzers, and steganographic embedding schemes. It turns out that steganography helps more the attacker than the defender., Comment: Submitted to IEEE WIFS

Published

2020

19. An alternative proof of the vulnerability of retrieval in high intrinsic dimensionality neighborhood

Author

Furon, Teddy

Subjects

Computer Science - Machine Learning, Mathematics - Probability, Statistics - Machine Learning

Abstract

This paper investigates the vulnerability of the nearest neighbors search, which is a pivotal tool in data analysis and machine learning. The vulnerability is gauged as the relative amount of perturbation that an attacker needs to add onto a dataset point in order to modify its neighbor rank w.r.t. a query. The statistical distribution of this quantity is derived from simple assumptions. Experiments on six large scale datasets validate this model up to some outliers which are explained in term of violations of the assumptions.

Published

2020

20. Defending Adversarial Examples via DNN Bottleneck Reinforcement

Author

Liu, Wenqing, Shi, Miaojing, Furon, Teddy, and Li, Li

Subjects

Computer Science - Computer Vision and Pattern Recognition

Abstract

This paper presents a DNN bottleneck reinforcement scheme to alleviate the vulnerability of Deep Neural Networks (DNN) against adversarial attacks. Typical DNN classifiers encode the input image into a compressed latent representation more suitable for inference. This information bottleneck makes a trade-off between the image-specific structure and class-specific information in an image. By reinforcing the former while maintaining the latter, any redundant information, be it adversarial or not, should be removed from the latent representation. Hence, this paper proposes to jointly train an auto-encoder (AE) sharing the same encoding weights with the visual classifier. In order to reinforce the information bottleneck, we introduce the multi-scale low-pass objective and multi-scale high-frequency communication for better frequency steering in the network. Unlike existing approaches, our scheme is the first reforming defense per se which keeps the classifier structure untouched without appending any pre-processing head and is trained with clean images only. Extensive experiments on MNIST, CIFAR-10 and ImageNet demonstrate the strong defense of our method against various adversarial attacks., Comment: ACM MM 2020 - Full Paper

Published

2020

21. Group Membership Verification with Privacy: Sparse or Dense?

Author

Gheisari, Marzieh, Furon, Teddy, and Amsaleg, Laurent

Subjects

Computer Science - Cryptography and Security, Computer Science - Computer Vision and Pattern Recognition

Abstract

Group membership verification checks if a biometric trait corresponds to one member of a group without revealing the identity of that member. Recent contributions provide privacy for group membership protocols through the joint use of two mechanisms: quantizing templates into discrete embeddings and aggregating several templates into one group representation. However, this scheme has one drawback: the data structure representing the group has a limited size and cannot recognize noisy queries when many templates are aggregated. Moreover, the sparsity of the embeddings seemingly plays a crucial role on the performance verification. This paper proposes a mathematical model for group membership verification allowing to reveal the impact of sparsity on both security, compactness, and verification performances. This model bridges the gap towards a Bloom filter robust to noisy queries. It shows that a dense solution is more competitive unless the queries are almost noiseless.

Published

2020

22. Joint Learning of Assignment and Representation for Biometric Group Membership

Author

Gheisari, Marzieh, Furon, Teddy, and Amsaleg, Laurent

Subjects

Computer Science - Computer Vision and Pattern Recognition, Computer Science - Cryptography and Security

Abstract

This paper proposes a framework for group membership protocols preventing the curious but honest server from reconstructing the enrolled biometric signatures and inferring the identity of querying clients. This framework learns the embedding parameters, group representations and assignments simultaneously. Experiments show the trade-off between security/privacy and verification/identification performances.

Published

2020

23. Walking on the Edge: Fast, Low-Distortion Adversarial Examples

Author

Zhang, Hanwei, Avrithis, Yannis, Furon, Teddy, and Amsaleg, Laurent

Subjects

Computer Science - Computer Vision and Pattern Recognition, Computer Science - Cryptography and Security, Computer Science - Machine Learning

Abstract

Adversarial examples of deep neural networks are receiving ever increasing attention because they help in understanding and reducing the sensitivity to their input. This is natural given the increasing applications of deep neural networks in our everyday lives. When white-box attacks are almost always successful, it is typically only the distortion of the perturbations that matters in their evaluation. In this work, we argue that speed is important as well, especially when considering that fast attacks are required by adversarial training. Given more time, iterative methods can always find better solutions. We investigate this speed-distortion trade-off in some depth and introduce a new attack called boundary projection (BP) that improves upon existing methods by a large margin. Our key idea is that the classification boundary is a manifold in the image space: we therefore quickly reach the boundary and then optimize distortion on this manifold., Comment: 13 pages, 9 figures

Published

2019

24. Privacy Preserving Group Membership Verification and Identification

Author

Gheisari, Marzieh, Furon, Teddy, and Amsaleg, Laurent

Subjects

Computer Science - Computer Vision and Pattern Recognition

Abstract

When convoking privacy, group membership verification checks if a biometric trait corresponds to one member of a group without revealing the identity of that member. Similarly, group membership identification states which group the individual belongs to, without knowing his/her identity. A recent contribution provides privacy and security for group membership protocols through the joint use of two mechanisms: quantizing biometric templates into discrete embeddings and aggregating several templates into one group representation. This paper significantly improves that contribution because it jointly learns how to embed and aggregate instead of imposing fixed and hard coded rules. This is demonstrated by exposing the mathematical underpinnings of the learning stage before showing the improvements through an extensive series of experiments targeting face recognition. Overall, experiments show that learning yields an excellent trade-off between security /privacy and verification /identification performances., Comment: Accepted at CVPR Workshops 2019

Published

2019

25. Smooth Adversarial Examples

Author

Zhang, Hanwei, Avrithis, Yannis, Furon, Teddy, and Amsaleg, Laurent

Subjects

Computer Science - Computer Vision and Pattern Recognition

Abstract

This paper investigates the visual quality of the adversarial examples. Recent papers propose to smooth the perturbations to get rid of high frequency artefacts. In this work, smoothing has a different meaning as it perceptually shapes the perturbation according to the visual content of the image to be attacked. The perturbation becomes locally smooth on the flat areas of the input image, but it may be noisy on its textured areas and sharp across its edges. This operation relies on Laplacian smoothing, well-known in graph signal processing, which we integrate in the attack pipeline. We benchmark several attacks with and without smoothing under a white-box scenario and evaluate their transferability. Despite the additional constraint of smoothness, our attack has the same probability of success at lower distortion.

Published

2019

26. Aggregation and Embedding for Group Membership Verification

Author

Gheisari, Marzieh, Furon, Teddy, Amsaleg, Laurent, Razeghi, Behrooz, and Voloshynovskiy, Slava

Subjects

Computer Science - Cryptography and Security

Abstract

This paper proposes a group membership verification protocol preventing the curious but honest server from reconstructing the enrolled signatures and inferring the identity of querying clients. The protocol quantizes the signatures into discrete embeddings, making reconstruction difficult. It also aggregates multiple embeddings into representative values, impeding identification. Theoretical and experimental results show the trade-off between the security and the error rates., Comment: accepted at ICASSP 2019

Published

2018

27. Hybrid Diffusion: Spectral-Temporal Graph Filtering for Manifold Ranking

Author

Iscen, Ahmet, Avrithis, Yannis, Tolias, Giorgos, Furon, Teddy, and Chum, Ondrej

Subjects

Computer Science - Computer Vision and Pattern Recognition

Abstract

State of the art image retrieval performance is achieved with CNN features and manifold ranking using a k-NN similarity graph that is pre-computed off-line. The two most successful existing approaches are temporal filtering, where manifold ranking amounts to solving a sparse linear system online, and spectral filtering, where eigen-decomposition of the adjacency matrix is performed off-line and then manifold ranking amounts to dot-product search online. The former suffers from expensive queries and the latter from significant space overhead. Here we introduce a novel, theoretically well-founded hybrid filtering approach allowing full control of the space-time trade-off between these two extremes. Experimentally, we verify that our hybrid method delivers results on par with the state of the art, with lower memory demands compared to spectral filtering approaches and faster compared to temporal filtering.

Published

2018

28. Panorama to panorama matching for location recognition

Author

Iscen, Ahmet, Tolias, Giorgos, Avrithis, Yannis, Furon, Teddy, and Chum, Ondrej

Subjects

Computer Science - Computer Vision and Pattern Recognition

Abstract

Location recognition is commonly treated as visual instance retrieval on "street view" imagery. The dataset items and queries are panoramic views, i.e. groups of images taken at a single location. This work introduces a novel panorama-to-panorama matching process, either by aggregating features of individual images in a group or by explicitly constructing a larger panorama. In either case, multiple views are used as queries. We reach near perfect location recognition on a standard benchmark with only four query views.

Published

2017

29. Fast Spectral Ranking for Similarity Search

Author

Iscen, Ahmet, Avrithis, Yannis, Tolias, Giorgos, Furon, Teddy, and Chum, Ondrej

Subjects

Computer Science - Computer Vision and Pattern Recognition

Abstract

Despite the success of deep learning on representing images for particular object retrieval, recent studies show that the learned representations still lie on manifolds in a high dimensional space. This makes the Euclidean nearest neighbor search biased for this task. Exploring the manifolds online remains expensive even if a nearest neighbor graph has been computed offline. This work introduces an explicit embedding reducing manifold search to Euclidean search followed by dot product similarity search. This is equivalent to linear graph filtering of a sparse signal in the frequency domain. To speed up online search, we compute an approximate Fourier basis of the graph offline. We improve the state of art on particular object retrieval datasets including the challenging Instre dataset containing small objects. At a scale of 10^5 images, the offline cost is only a few hours, while query time is comparable to standard similarity search.

Published

2017

30. Efficient Diffusion on Region Manifolds: Recovering Small Objects with Compact CNN Representations

Author

Iscen, Ahmet, Tolias, Giorgos, Avrithis, Yannis, Furon, Teddy, and Chum, Ondrej

Subjects

Computer Science - Computer Vision and Pattern Recognition

Abstract

Query expansion is a popular method to improve the quality of image retrieval with both conventional and CNN representations. It has been so far limited to global image similarity. This work focuses on diffusion, a mechanism that captures the image manifold in the feature space. The diffusion is carried out on descriptors of overlapping image regions rather than on a global image descriptor like in previous approaches. An efficient off-line stage allows optional reduction in the number of stored regions. In the on-line stage, the proposed handling of unseen queries in the indexing stage removes additional computation to adjust the precomputed data. We perform diffusion through a sparse linear system solver, yielding practical query times well below one second. Experimentally, we observe a significant boost in performance of image retrieval with compact CNN descriptors on standard benchmarks, especially when the query object covers only a small part of the image. Small objects have been a common failure case of CNN-based retrieval., Comment: CVPR 2017

Published

2016

31. Automatic discovery of discriminative parts as a quadratic assignment problem

Author

Sicre, Ronan, Rabin, Julien, Avrithis, Yannis, Furon, Teddy, and Jurie, Frederic

Subjects

Computer Science - Computer Vision and Pattern Recognition

Abstract

Part-based image classification consists in representing categories by small sets of discriminative parts upon which a representation of the images is built. This paper addresses the question of how to automatically learn such parts from a set of labeled training images. The training of parts is cast as a quadratic assignment problem in which optimal correspondences between image regions and parts are automatically learned. The paper analyses different assignment strategies and thoroughly evaluates them on two public datasets: Willow actions and MIT 67 scenes. State-of-the art results are obtained on these datasets.

Published

2016

32. Memory vectors for similarity search in high-dimensional spaces

Author

Iscen, Ahmet, Furon, Teddy, Gripon, Vincent, Rabbat, Michael, and Jégou, Hervé

Subjects

Computer Science - Computer Vision and Pattern Recognition, Computer Science - Databases

Abstract

We study an indexing architecture to store and search in a database of high-dimensional vectors from the perspective of statistical signal processing and decision theory. This architecture is composed of several memory units, each of which summarizes a fraction of the database by a single representative vector. The potential similarity of the query to one of the vectors stored in the memory unit is gauged by a simple correlation with the memory unit's representative vector. This representative optimizes the test of the following hypothesis: the query is independent from any vector in the memory unit vs. the query is a simple perturbation of one of the stored vectors. Compared to exhaustive search, our approach finds the most similar database vectors significantly faster without a noticeable reduction in search quality. Interestingly, the reduction of complexity is provably better in high-dimensional spaces. We empirically demonstrate its practical interest in a large-scale image search scenario with off-the-shelf state-of-the-art descriptors., Comment: Accepted to IEEE Transactions on Big Data

Published

2014

33. Orientation covariant aggregation of local descriptors with embeddings

Author

Tolias, Giorgos, Furon, Teddy, and Jégou, Hervé

Subjects

Computer Science - Computer Vision and Pattern Recognition

Abstract

Image search systems based on local descriptors typically achieve orientation invariance by aligning the patches on their dominant orientations. Albeit successful, this choice introduces too much invariance because it does not guarantee that the patches are rotated consistently. This paper introduces an aggregation strategy of local descriptors that achieves this covariance property by jointly encoding the angle in the aggregation stage in a continuous manner. It is combined with an efficient monomial embedding to provide a codebook-free method to aggregate local descriptors into a single vector representation. Our strategy is also compatible and employed with several popular encoding methods, in particular bag-of-words, VLAD and the Fisher vector. Our geometric-aware aggregation strategy is effective for image search, as shown by experiments performed on standard benchmarks for image and particular object retrieval, namely Holidays and Oxford buildings., Comment: European Conference on Computer Vision (2014)

Published

2014

34. The Effective Key Length of Watermarking Schemes

Author

Bas, Patrick and Furon, Teddy

Subjects

Computer Science - Cryptography and Security

Abstract

Whereas the embedding distortion, the payload and the robustness of digital watermarking schemes are well understood, the notion of security is still not completely well defined. The approach proposed in the last five years is too theoretical and solely considers the embedding process, which is half of the watermarking scheme. This paper proposes a new measurement of watermarking security, called the effective key length, which captures the difficulty for the adversary to get access to the watermarking channel. This new methodology is applied to additive spread spectrum schemes where theoretical and practical computations of the effective key length are proposed. It shows that these schemes are not secure as soon as the adversary gets observations in the Known Message Attack context.

Published

2012

35. Anti-sparse coding for approximate nearest neighbor search

Author

Jégou, Hervé, Furon, Teddy, and Fuchs, Jean-Jacques

Subjects

Computer Science - Computer Vision and Pattern Recognition, Computer Science - Databases, Computer Science - Information Retrieval, Computer Science - Information Theory

Abstract

This paper proposes a binarization scheme for vectors of high dimension based on the recent concept of anti-sparse coding, and shows its excellent performance for approximate nearest neighbor search. Unlike other binarization schemes, this framework allows, up to a scaling factor, the explicit reconstruction from the binary representation of the original vector. The paper also shows that random projections which are used in Locality Sensitive Hashing algorithms, are significantly outperformed by regular frames for both synthetic and real data if the number of bits exceeds the vector dimensionality, i.e., when high precision is required., Comment: submitted to ICASSP'2012; RR-7771 (2011)

Published

2011

36. Towards joint decoding of binary Tardos fingerprinting codes

Author

Meerwald, Peter and Furon, Teddy

Subjects

Computer Science - Information Theory, Computer Science - Cryptography and Security

Abstract

The class of joint decoder of probabilistic fingerprinting codes is of utmost importance in theoretical papers to establish the concept of fingerprint capacity. However, no implementation supporting a large user base is known to date. This article presents an iterative decoder which is, as far as we are aware of, the first practical attempt towards joint decoding. The discriminative feature of the scores benefits on one hand from the side-information of previously accused users, and on the other hand, from recently introduced universal linear decoders for compound channels. Neither the code construction nor the decoder make precise assumptions about the collusion (size or strategy). The extension to incorporate soft outputs from the watermarking layer is straightforward. An extensive experimental work benchmarks the very good performance and offers a clear comparison with previous state-of-the-art decoders., Comment: submitted to IEEE Trans. on Information Forensics and Security. - typos corrected, one new plot, references added about ECC based fingerprinting codes

Published

2011

37. An Asymmetric Fingerprinting Scheme based on Tardos Codes

Author

Charpentier, Ana, Fontaine, Caroline, Furon, Teddy, and Cox, Ingemar

Subjects

Computer Science - Cryptography and Security

Abstract

Tardos codes are currently the state-of-the-art in the design of practical collusion-resistant fingerprinting codes. Tardos codes rely on a secret vector drawn from a publicly known probability distribution in order to generate each Buyer's fingerprint. For security purposes, this secret vector must not be revealed to the Buyers. To prevent an untrustworthy Provider forging a copy of a Work with an innocent Buyer's fingerprint, previous asymmetric fingerprinting algorithms enforce the idea of the Buyers generating their own fingerprint. Applying this concept to Tardos codes is challenging since the fingerprint must be based on this vector secret. This paper provides the first solution for an asymmetric fingerprinting protocol dedicated to Tardos codes. The motivations come from a new attack, in which an untrustworthy Provider by modifying his secret vector frames an innocent Buyer., Comment: 6 pages, 2 figures

Published

2010

38. Worst case attacks against binary probabilistic traitor tracing codes

Author

Furon, Teddy and Perez-Freire, Luis

Subjects

Computer Science - Information Theory, Computer Science - Cryptography and Security

Abstract

An insightful view into the design of traitor tracing codes should necessarily consider the worst case attacks that the colluders can lead. This paper takes an information-theoretic point of view where the worst case attack is defined as the collusion strategy minimizing the achievable rate of the traitor tracing code. Two different decoders are envisaged, the joint decoder and the simple decoder, as recently defined by P. Moulin \cite{Moulin08universal}. Several classes of colluders are defined with increasing power. The worst case attack is derived for each class and each decoder when applied to Tardos' codes and a probabilistic version of the Boneh-Shaw construction. This contextual study gives the real rates achievable by the binary probabilistic traitor tracing codes. Attacks usually considered in literature, such as majority or minority votes, are indeed largely suboptimal. This article also shows the utmost importance of the time-sharing concept in a probabilistic codes., Comment: submitted to IEEE Trans. on Information Forensics and Security

Published

2009

39. The Good, the Bad, and the Ugly: three different approaches to break their watermarking system

Author

Guelvouit, Gaëtan Le, Furon, Teddy, and Cayre, François

Subjects

Computer Science - Graphics, Computer Science - Multimedia

Abstract

The Good is Blondie, a wandering gunman with a strong personal sense of honor. The Bad is Angel Eyes, a sadistic hitman who always hits his mark. The Ugly is Tuco, a Mexican bandit who's always only looking out for himself. Against the backdrop of the BOWS contest, they search for a watermark in gold buried in three images. Each knows only a portion of the gold's exact location, so for the moment they're dependent on each other. However, none are particularly inclined to share..., Comment: 8 pages, 8 figures

Published

2008

40. A constructive and unifying framework for zero-bit watermarking

Author

Furon, Teddy

Subjects

Computer Science - Multimedia, Computer Science - Cryptography and Security

Abstract

In the watermark detection scenario, also known as zero-bit watermarking, a watermark, carrying no hidden message, is inserted in content. The watermark detector checks for the presence of this particular weak signal in content. The article looks at this problem from a classical detection theory point of view, but with side information enabled at the embedding side. This means that the watermark signal is a function of the host content. Our study is twofold. The first step is to design the best embedding function for a given detection function, and the best detection function for a given embedding function. This yields two conditions, which are mixed into one `fundamental' partial differential equation. It appears that many famous watermarking schemes are indeed solution to this `fundamental' equation. This study thus gives birth to a constructive framework unifying solutions, so far perceived as very different., Comment: submitted to IEEE Trans. on Information Forensics and Security

Published

2006