The rise of generative neural networks has triggered an increased demand for intellectual property (IP) protection in generated content. Deep watermarking techniques, recognized for their flexibility in IP protection, have garnered significant attention. However, the surge in adversarial transferable attacks poses unprecedented challenges to the security of deep watermarking techniques-an area currently lacking systematic investigation. This study fills this gap by introducing two effective transferable attackers to assess the vulnerability of deep watermarks against erasure and tampering risks. Specifically, we initially define the concept of local sample density, utilizing it to deduce theorems on the consistency of model outputs. Upon discovering that perturbing samples towards high sample density regions (HSDR) of the target class enhances targeted adversarial transferability, we propose the Easy Sample Selection (ESS) mechanism and the Easy Sample Matching Attack (ESMA) method. Additionally, we propose the Bottleneck Enhanced Mixup (BEM) that integrates information bottleneck theory to reduce the generator's dependence on irrelevant noise. Experiments show a significant enhancement in the success rate of targeted transfer attacks for both ESMA and BEM-ESMA methods. We further conduct a comprehensive evaluation using ESMA and BEM-ESMA as measurements, considering model architecture and watermark encoding length, and achieve some impressive findings.

翻译：生成式神经网络的兴起引发了对生成内容知识产权保护的日益增长需求。深度水印技术因其在知识产权保护中的灵活性而受到广泛关注。然而，对抗性迁移攻击的激增对深度水印技术的安全性提出了前所未有的挑战——该领域目前缺乏系统性研究。本研究通过引入两种有效的迁移攻击方法来评估深度水印在擦除和篡改风险下的脆弱性。具体而言，我们首先定义了局部样本密度的概念，并利用它推导出关于模型输出一致性的定理。在发现将样本向目标类别的高样本密度区域（HSDR）扰动可增强目标迁移攻击性后，我们提出了简单样本选择（ESS）机制和简单样本匹配攻击（ESMA）方法。此外，我们提出了瓶颈增强混合（BEM）方法，该算法融合信息瓶颈理论以减少生成器对无关噪声的依赖。实验表明，ESMA和BEM-ESMA方法在目标迁移攻击成功率上均有显著提升。我们进一步以ESMA和BEM-ESMA作为评估指标，考虑模型架构和数字水印编码长度开展了全面评估，并获得了若干值得关注的发现。