In watermarking terminology, an attack is any processing that may impair detection of the watermark or communication of the information conveyed by the watermark. The processed, watermarked data is then called attacked data. Robustness against attacks is an important aspect for watermarking schemes. The usefulness of an attacked data can be measured by its perceptual quality and the amount of watermark impairment can be measured by criteria such as miss probability, probability of bit error, or channel capacity. An attack succeeds in defeating a watermarking scheme if it impairs the watermark beyond acceptable limits while maintaining the perceptual quality of the attacked data. The wide class of existing attacks can be divided into four main groups: removal attacks, geometrical attacks, cryptographic attacks and protocol attacks.

1. Removal attacks

Removal attacks attempt to weaken or completely remove a watermark from its associated content, while preserving the content so that it is not useless after the attack is over. This category includes denoising, quantization, remodulation, and collusion attacks. Denoising and quantization attacks impair the watermark quality as much as possible, while keeping the quality of the attacked data high enough. Lossy compression has the same effect as denoising The remodulation attack aims to predict the watermark. It may be. implemented by subtracting the median filtered version of the watermarked image from the watermarked image itself. Then the predicted watermark is removed from the watermarked image, resulting with the median filtered version of watermarked data. Collusion attacks are applicable when many copies of a given data set, each signed with a different watermark, can be obtained by an attacker. In such a case, a successful attack can be achieved by averaging all copies or taking only small parts from each different copy.

1. Geometric attacks

Geometric distortions are specific to videos and images including operations as rotation, scaling, translation, cropping etc. In contrast to removal attacks, geometric attacks do not actually remove the embedded watermark, but intend to distort the watermark detector synchronization with the embedded information. The detector could recover the embedded watermark information when perfect synchronization is regained. However, the complexity of the required synchronization process might be too great to be practical. Recent watermarking methods try to survive from these attacks by use of templates, invariant domains, image feature dependent methods or self synchronizing watermarks to overcome the geometrical transformations inflicted by the attacker.

1. Cryptographic attacks

Cryptographic attacks aim at cracking the security methods in watermarking schemes and thus finding a way to remove the embedded watermark information or to embed misleading watermarks. One such technique is the brute-force search for the embedded secret information. Another attack in this category is the so-called Oracle attack, which can be used to create a non-watermarked signal when a watermark detector device is available. Practically, application of these attacks is restricted due to their high computational complexity.

1. Protocol attacks

Craver et al described a method, called the watermark inversion attack or IBM attack, to provide a counterfeit watermarking schemes that can be performed on a watermarked image to create uncertainty about which watermark was inserted first. Another protocol attack is the copy attack. In this case, the watermark is estimated by using a watermarked data, and this estimated watermark is embedded into another data by adapting the local features to satisfy its imperceptibility.