Visual Content Provenance
“Is seeing believing?” – unfortunately it is not necessarily true, especially for visual content on the Internet. Nowadays, digital imagery can be forged at ease using an image editing tool such as Photoshop, or synthesised using AI (for example, this website uses AI to generate a new human face every refresh). While we have learnt to not trust everything on the Internet, our decision making about the trustworthiness of a media content is mostly based on personal knowledge and experience. A common practice is to ask a series of fact-checking questions, such as “Does it follow common sense?”, “Is this sharing platform known for spreading fake news?”, “Is there any unusual artefact in this image/video?”. Nevertheless, this practice is not absolutely fake-proof – a carefully manipulated content in an appropriate context can still deceive unsuspecting eyes.
It would be ideal if technology could be leveraged to help users make more informed decisions on whether to trust the media they encounter online. Currently, there are two ways to detect manipulated content: blind-detection and content provenance. The former detects “what is fake” by examining the presence of visual anomalies or artefacts created by editing tools or AI during the manipulation process (check here for a classical method using noise analysis, and here for a more sophisticated method using AI). On the contrary, the latter proves “what is true” by giving viewers access to a version history of the content, or provenance, to show how it’s changed since it was originally created. Blind-detection methods are usually faster and less expensive, however the process itself is a cat-and-mouse game – as the manipulation tools and synthesising AI become more sophisticated, the detectors must also evolve to catch up. Content provenance addresses these shortcomings and is an active research project at Decade.
Content Provenance – how does it work
Content Provenance requires media content and its associated provenance information to be registered in a database, which could be a centralised cloud service or a decentralised system such as blockchain. The method in which provenance information is binded with its content, along with how they are updated and maintained is specified in C2PA, an emerging standard to tackle disinformation in the digital news ecosystem. In the nut shell, provenance information is stored securely within metadata called C2PA manifest. Each time the media content is edited using a C2PA-supported software, another layer of metadata containing all information about the changes is added and sealed on top of the existing ones. Viewers can examine the metadata for a full story of changes that have been applied to make it as is.
Things get complicated when metadata is stripped from content during its online redistribution. This is not uncommon – large social media platforms such as Facebook, Twitter and LinkedIn currently remove metadata from uploaded images by default due to privacy concerns. Even if these platforms changed their policies in future, metadata could still be intentionally stripped by malicious attackers before uploading. Tracing a metadata-stripped media content back to the database registry is a research focus at Decade. Figure. 1 summarises our content provenance pipeline. The core component is a fingerprinting algorithm that encodes the media content to a compact set of binary numbers called fingerprint, which can be used to identify that content. When a media content is registered to the database, its fingerprint is computed and stored together with the metadata. Given a piece of content that does not have metadata, we can still compute its fingerprint and query against the database registry to retrieve the closest match along with the latest metadata. Once a match has been found, further analysis could be implemented to identify possibly unknown changes on the query.
Figure 1. The content provenance pipeline.
The challenges
Fingerprinting media content is not a trivial task. The most popular method is to use cryptographic hash – a fixed-size short string of bytes to represent the content. Notable cryptographic hashing algorithms include MD5, SHA-1, SHA-2, Blowfish, which have desirable properties such as determinism (a given content should always output the same hash), non-reversibility (the hash is one-way function, it is extremely difficult to reconstruct the content from the hash) and collision resistance (it is difficult to have two contents with the same hash value). However, cryptographic hash has the avalanche effect, where a single bit change in the digital content will result in a totally different hash. This is an undesirable property for content provenance, since media content is often subjected to transformations during its redistribution online. Figure.2 shows an example of several common transformations to be applied on an image, resulting in different MD5 hashes.
Figure 2. Image transformations, whether being benign or editorial, always change the MD5 hash of an image. This adds a barrier to content provenance.
We think a next generation of fingerprinting algorithms should be developed for content provenance. In our opinions, a successful fingerprinting model should:
- Inherit two desirable properties of cryptographic hash: determinism and non-reversibility. Collision resistance is a nice property but not essential, if we treat the matching process as a retrieval problem. Two similar contents should have similar hashes (fingerprints). Given a query hash, we could search for the closest hash in the database rather than finding an exact match.
- Be robust to transformations. We are interested in two kinds of transformations: non-editorial (or benign) transformations which do not change the story told by the media content (for example, jpeg compression, horizontal flip, blurring,…) and editorial transformations which change the content’s message in a certain way. Examples of these transformations are shown in Figure. 2.
- Ideally capable of highlighting the difference between the query and its registered version (associated with the latest provenance information), especially if the query has unknown subtle manipulations. This is the ultimate goal of our work in assisting users to make an informed trust decision. It is worth noting that the boundary between manipulation (editorial) and benign (non-editorial) is not always separable – a jpeg compression operation, for example, if being too severe, can distort and possibly change the content of an image.
- Yield compact fingerprints. The hash should be short, ideally in binary, to enable large-scale search and efficient storage and maintenance, especially in decentralised systems.
Our preliminary work
To address the above challenges, we develop AI fingerprinting models that use Machine Learning algorithms to learn the hashing function f(.) in Figure. 1. We “teach” the AI model to be robust to transformations by feeding to it various benign and manipulation examples. A content-aware hash is learnt – two similar pieces of content have two similar hashes so the difference between two hashes can tell the similarity of the content. Our models exhibit several interesting properties. First, it is deterministic by design and non-reversible (at the time of writing we are not aware of any reverse engineering method that can reconstruct content from its hash values). Second, it is not only robust to transformations that it “sees” during training but also generalises on “unseen” transformations. Third, its output hash is compact, a set of 256 32-bit floating point numbers, which could be further “compressed” into 64-bit binary hash with minimal drop in performance. Finally, our models are capable of detecting possible manipulation regions between the query and its registered version in the database.
Figure 3. shows examples of retrieving the original images (and its provenance information) in a 2-million registry database, given heavily distorted queries.
Figure 3. Searching in a database of 2M registered images using an AI fingerprinting model. The queries in the top 2 rows have some benign transformations while the last row has an editorial change.
Figure 4. Shows our AI’s performance on manipulation detection and visualisation.
Figure 4. We use AI to detect and highlight manipulation regions in the query images. Green: ground truth, Yellow: prediction.
We also demonstrate our models’ functionality in the following demo:
Remarks
We think content provenance is essential to address the prevalence of online disinformation. Currently, when a fake content is surfaced on the Internet, it takes time to spot it (usually by someone who is familiar with the original pristine content, or by a digital forensic expert). Technologies could be used to speed up this process and ultimately help users make more informed trust decisions about the content they see online. The recent release of C2PA standards marks a milestone in this mission. However, more work needs to be done to address the problem of metadata-stripped content. In our preliminary work, we have demonstrated some progress in building AI-based content-aware hashing models for fingerprinting visual content. The problem is not solved though, as more research is needed to evaluate the robustness of the models, especially in scalability and reducing false negative rate (in detecting/visualising manipulation regions). On the broader context, extending content provenance from visual content to textual content is not easy; and detecting fake news (whether the news tells a true story or not) poses another great challenge which could probably only be solved using Artificial General Intelligence.
References
Below are our related publications in this topic. Most of the figures in this blog are results of our method proposed in [1] and [3]. The work of [5] and [6] were funded by the related EPSRC Archangel project.
[3] Black, A., Bui, T., Jenni, S., Swaminathan, V. and Collomosse, J., 2021. VPN: Video Provenance Network for Robust Content Attribution. Proceedings of the 18th ACM SIGGRAPH European Conference on Visual Media Production (CVMP).
[4] Andriushchenko, M., Li, X.R., Oxholm, G., Gittings, T., Bui, T., Flammarion, N. and Collomosse, J., 2022. ARIA: Adversarially Robust Image Attribution for Content Provenance. In Proceedings of IEEE Computer Vision and Pattern Recognition Workshop on Media Forensics (CVPR WMF).
[6] Bui, T., Cooper, D., Collomosse, J., Bell, M., Green, A., Sheridan, J., Higgins, J., Das, A., Keller, J., Thereaux, O. and Brown, A., 2019. Archangel: Tamper-proofing video archives using temporal content hashes on the blockchain. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops.
Author- Dr Tu Bui, Research Fellow