11.1.3 Watermark removal

2025.10.06.
AI Security Blog

The proliferation of high-fidelity synthetic media has made provenance a critical security concern. Watermarking is the primary technical defense deployed to trace the origin of generated images, enabling detection of AI-generated content. As a red teamer, your objective is not merely to acknowledge these watermarks but to test their resilience. If a watermark can be easily removed, the entire chain of trust it’s meant to establish collapses.

The Purpose and Anatomy of Diffusion Model Watermarks

Unlike traditional watermarks slapped onto a finished image, watermarks in diffusion models can be embedded deep within the generation process itself. The goal is to create a signal that is imperceptible to humans but reliably detectable by an algorithm. This signal must survive common image manipulations, which is precisely where red team testing comes into play.

Kapcsolati űrlap - EN

Do you have a question about AI Security? Reach out to us here:

There are two primary categories of watermarks you will encounter:

  • Visible Watermarks: These are logos or text overlays, often semi-transparent. While they deter casual misuse, they are trivial to remove with inpainting models and are not a serious security mechanism. We will not focus on these.
  • Invisible Watermarks: These are the real targets for security testing. The watermark is embedded as a subtle pattern within the image data itself, often in the frequency domain (e.g., modifying DCT coefficients) or directly in the model’s latent space during the diffusion process. The latter is harder to attack as the pattern is intrinsically linked to the generated image structure.

Watermark Embedding and Removal Attack Flow Diffusion Model Generates Watermark Embedded (Latent/Pixel) Output Image Scanned Detector DETECTED Attacker Applies Removal Technique (e.g., Denoising) “Cleaned” Image Scanned Detector EVADED

The Red Teamer’s Toolkit for Watermark Removal

Your goal is to break the detection process with minimal impact on the visual quality of the image. An effective attack renders the watermark undetectable while preserving the image’s utility for nefarious purposes like spreading misinformation.

1. Simple Transformations (The Baseline Test)

These are the first and easiest attacks to attempt. A robust watermarking scheme should survive them, but you’ll often find they are surprisingly effective against naive implementations.

  • Re-encoding/Compression: Saving the image with high JPEG compression can destroy the subtle, high-frequency signals used by many watermarks.
  • Resizing: Downscaling and then upscaling the image (e.g., to 75% and back to 100%) can disrupt pixel- or frequency-based patterns.
  • Cropping: If the watermark is localized or has a predictable structure, cropping the image edges can remove it entirely.
  • Rotation and Flipping: Small rotations (e.g., 1-2 degrees) followed by straightening can introduce interpolation artifacts that corrupt the watermark.

2. Noise and Filtering Attacks

If simple transformations fail, the next step is to add noise that specifically targets the domain where the watermark lives. This requires a bit more finesse to avoid degrading the image too much.

  • Gaussian Noise: Adding a small amount of random noise across the image can raise the noise floor, making the watermark signal statistically indistinguishable from the background.
  • Blurring Filters: Applying a slight Gaussian blur can smooth out the high-frequency components where many watermarks are hidden.
  • Sharpening Filters: Counter-intuitively, sharpening can also be effective by exaggerating image features and overwhelming the subtle watermark pattern.

# Pseudocode: A simple noise attack using a Python imaging library
from PIL import Image, ImageDraw
import numpy as np

def add_gaussian_noise(image_path, strength=20):
    """
    Adds Gaussian noise to an image to disrupt a watermark.
    """
    img = Image.open(image_path).convert('RGB')
    img_array = np.array(img)
    
    # Generate noise with the same dimensions as the image
    noise = np.random.normal(0, strength, img_array.shape)
    
    # Add noise and clip values to be in the valid 0-255 range
    noisy_array = np.clip(img_array + noise, 0, 255).astype(np.uint8)
    
    noisy_img = Image.fromarray(noisy_array)
    noisy_img.save("image_with_noise.png")
    print("Noise added. Watermark may be corrupted.")

# Usage
# add_gaussian_noise("watermarked_image.png", strength=15)

3. Diffusion-Based Purification (The Advanced Attack)

This is a powerful, model-aware attack. The core idea is to treat the embedded watermark as “noise” and use another diffusion model to “clean” it. You take the watermarked image, add a significant amount of noise to it (e.g., to timestep 150 of a 1000-step process), and then have a diffusion model denoise it back to a clean image. Because the model was trained on natural images, it tends to remove the “unnatural” statistical patterns of the watermark, effectively laundering the image.

This method is highly effective against many latent-space watermarks because the purification process essentially re-draws the image according to the model’s learned distribution, discarding the out-of-distribution watermark data.

Red Team Objective: The success of a diffusion-based purification attack demonstrates a fundamental vulnerability. If the same class of model used to generate content can also be used to strip its identity, the watermarking strategy is flawed. Your finding would highlight that any actor with access to a public diffusion model can potentially bypass the safeguard.

Attack Strategy and Reporting

When testing a watermarking system, you should approach it systematically. Start with the simplest attacks and escalate in complexity. This helps you identify the precise point of failure.

Comparison of Watermark Removal Techniques
Technique Effectiveness Image Degradation Computational Cost Red Team Use Case
JPEG Compression Low to Medium Visible at high levels Very Low Baseline test for robustness.
Resizing/Cropping Low High (if cropped heavily) Very Low Tests for spatially naive watermarks.
Gaussian Noise Medium Low to Medium Low Disrupts statistical detectors.
Diffusion Purification High Very Low High Advanced test against latent-space watermarks.

Your final report should not just state that the watermark was removed. It should detail:

  1. The Method: Which specific attack(s) were successful?
  2. The Threshold: What was the minimum level of distortion required? (e.g., “A JPEG quality of 60 or lower successfully removed the watermark.”)
  3. The Impact: What is the consequence of this removal? (e.g., “The provenance of generated media cannot be reliably established, allowing for plausible deniability in misinformation campaigns.”)
  4. Recommendations: Suggest countermeasures, such as training the watermark detector on attacked images, using more robust embedding algorithms, or combining multiple watermarking schemes.

By breaking these systems, you provide the necessary feedback to build more resilient methods for tracking synthetic media, a task of increasing importance in the modern information ecosystem.

11.1.2. Concept Injection

2025.10.06.

11.1.4. Bypassing NSFW Content Generation Filters

2025.10.06.

Contact

Attila Rácz-Akácosi, AI Security Strategy Consultant, Aiq.hu ©

Send an email with the details, and I will help you outline concrete steps toward safer AI operation.
Ai Red Teaming Hungary, Global Ai Safety / LLM Security Audit

Ai Red Teaming Dictionary

AI Security Audit - Checklist