Watermark Tool

This tool has two functions: 1) watermark embedding of the IoTDB query result and 2) watermark detection of the suspected data.

Watermark Embedding

Configuration

Watermark is disabled by default in IoTDB. To enable watermark embedding, the first thing is to modify the following fields in the configuration file iotdb-engine.properties:

NameExampleExplanation
watermark_module_openedfalsetrue to enable watermark embedding of the IoTDB server; false to disable
watermark_secret_keyIoTDB*2019@Beijingself-defined secret key
watermark_bit_string1001011101000-1 bit string to be embedded
watermark_methodGroupBasedLSBMethod(embed_row_cycle=2,embed_lsb_num=5)specifies the watermark algorithm and its paramters

Notes:

  • watermark_module_opened: Set it to be true if you want to enable watermark embedding
  • watermark_secret_key: Character ‘&’ is not allowed. There is no constraint on the length of the secret key. Generally, the longer the key is, the higher the bar to intruders.
  • watermark_bit_string: There is no constraint on the length of the bit string (except that it should not be empty). But note that it is difficult to reach the required significance level at the watermark detection phase if the bit string is way too short.
  • watermark_method: Now only GroupBasedLSBMethod is supported, so actually you can only tune the two parameters of this method, which are embed_row_cycle and embed_lsb_num.
    • Both of them should be positive integers.
    • embed_row_cycle controls the ratio of rows watermarked. The smaller the embed_row_cycle, the larger the ratio of rows watermarked. When embed_row_cycle equals 1, every row is watermarked.
    • GroupBasedLSBMethod uses LSB embedding. embed_lsb_num controls the number of least significant bits available for watermark embedding. The biggger the embed_lsb_num, the larger the varying range of a data point.
  • watermark_secret_key, watermark_bit_string and watermark_method should be kept secret from possible attackers. That is, it is your responsiblity to take care of iotdb-engine.properties.

Usage Example

  • step 1. Create a new user Alice, grant read privilege and query

A newly created user doesn’t use watermark by default. So the query result is the original data.

  1. .\start-cli.bat -u root -pw root
  2. create user Alice 1234
  3. grant user Alice privileges 'READ_TIMESERIES' on root.vehicle
  4. exit
  5. .\start-cli.bat -u Alice -pw 1234
  6. select * from root
  7. +-----------------------------------+------------------+
  8. | Time|root.vehicle.d0.s0|
  9. +-----------------------------------+------------------+
  10. | 1970-01-01T08:00:00.001+08:00| 21.5|
  11. | 1970-01-01T08:00:00.002+08:00| 22.5|
  12. | 1970-01-01T08:00:00.003+08:00| 23.5|
  13. | 1970-01-01T08:00:00.004+08:00| 24.5|
  14. | 1970-01-01T08:00:00.005+08:00| 25.5|
  15. | 1970-01-01T08:00:00.006+08:00| 26.5|
  16. | 1970-01-01T08:00:00.007+08:00| 27.5|
  17. | 1970-01-01T08:00:00.008+08:00| 28.5|
  18. | 1970-01-01T08:00:00.009+08:00| 29.5|
  19. | 1970-01-01T08:00:00.010+08:00| 30.5|
  20. | 1970-01-01T08:00:00.011+08:00| 31.5|
  21. | 1970-01-01T08:00:00.012+08:00| 32.5|
  22. | 1970-01-01T08:00:00.013+08:00| 33.5|
  23. | 1970-01-01T08:00:00.014+08:00| 34.5|
  24. | 1970-01-01T08:00:00.015+08:00| 35.5|
  25. | 1970-01-01T08:00:00.016+08:00| 36.5|
  26. | 1970-01-01T08:00:00.017+08:00| 37.5|
  27. | 1970-01-01T08:00:00.018+08:00| 38.5|
  28. | 1970-01-01T08:00:00.019+08:00| 39.5|
  29. | 1970-01-01T08:00:00.020+08:00| 40.5|
  30. | 1970-01-01T08:00:00.021+08:00| 41.5|
  31. | 1970-01-01T08:00:00.022+08:00| 42.5|
  32. | 1970-01-01T08:00:00.023+08:00| 43.5|
  33. | 1970-01-01T08:00:00.024+08:00| 44.5|
  34. | 1970-01-01T08:00:00.025+08:00| 45.5|
  35. | 1970-01-01T08:00:00.026+08:00| 46.5|
  36. | 1970-01-01T08:00:00.027+08:00| 47.5|
  37. | 1970-01-01T08:00:00.028+08:00| 48.5|
  38. | 1970-01-01T08:00:00.029+08:00| 49.5|
  39. | 1970-01-01T08:00:00.030+08:00| 50.5|
  40. | 1970-01-01T08:00:00.031+08:00| 51.5|
  41. | 1970-01-01T08:00:00.032+08:00| 52.5|
  42. | 1970-01-01T08:00:00.033+08:00| 53.5|
  43. +-----------------------------------+------------------+
  • step 2. grant watermark_embedding to Alice

Usage: grant watermark_embedding to Alice

Note that you can use grant watermark_embedding to user1,user2,... to grant watermark_embedding to multiple users.

Only root can run this command. After root grants watermark_embedding to Alice, all query results of Alice are watermarked.

  1. .\start-cli.bat -u root -pw root
  2. grant watermark_embedding to Alice
  3. exit
  4. .\start-cli.bat -u Alice -pw '1234'
  5. select * from root
  6. +-----------------------------------+------------------+
  7. | Time|root.vehicle.d0.s0|
  8. +-----------------------------------+------------------+
  9. | 1970-01-01T08:00:00.001+08:00| 21.5|
  10. | 1970-01-01T08:00:00.002+08:00| 22.5|
  11. | 1970-01-01T08:00:00.003+08:00| 23.500008|
  12. | 1970-01-01T08:00:00.004+08:00| 24.500015|
  13. | 1970-01-01T08:00:00.005+08:00| 25.5|
  14. | 1970-01-01T08:00:00.006+08:00| 26.500015|
  15. | 1970-01-01T08:00:00.007+08:00| 27.5|
  16. | 1970-01-01T08:00:00.008+08:00| 28.500004|
  17. | 1970-01-01T08:00:00.009+08:00| 29.5|
  18. | 1970-01-01T08:00:00.010+08:00| 30.5|
  19. | 1970-01-01T08:00:00.011+08:00| 31.5|
  20. | 1970-01-01T08:00:00.012+08:00| 32.5|
  21. | 1970-01-01T08:00:00.013+08:00| 33.5|
  22. | 1970-01-01T08:00:00.014+08:00| 34.5|
  23. | 1970-01-01T08:00:00.015+08:00| 35.500004|
  24. | 1970-01-01T08:00:00.016+08:00| 36.5|
  25. | 1970-01-01T08:00:00.017+08:00| 37.5|
  26. | 1970-01-01T08:00:00.018+08:00| 38.5|
  27. | 1970-01-01T08:00:00.019+08:00| 39.5|
  28. | 1970-01-01T08:00:00.020+08:00| 40.5|
  29. | 1970-01-01T08:00:00.021+08:00| 41.5|
  30. | 1970-01-01T08:00:00.022+08:00| 42.500015|
  31. | 1970-01-01T08:00:00.023+08:00| 43.5|
  32. | 1970-01-01T08:00:00.024+08:00| 44.500008|
  33. | 1970-01-01T08:00:00.025+08:00| 45.50003|
  34. | 1970-01-01T08:00:00.026+08:00| 46.500008|
  35. | 1970-01-01T08:00:00.027+08:00| 47.500008|
  36. | 1970-01-01T08:00:00.028+08:00| 48.5|
  37. | 1970-01-01T08:00:00.029+08:00| 49.5|
  38. | 1970-01-01T08:00:00.030+08:00| 50.5|
  39. | 1970-01-01T08:00:00.031+08:00| 51.500008|
  40. | 1970-01-01T08:00:00.032+08:00| 52.5|
  41. | 1970-01-01T08:00:00.033+08:00| 53.5|
  42. +-----------------------------------+------------------+
  • step 3. revoke watermark_embedding from Alice

Usage: revoke watermark_embedding from Alice

Note that you can use revoke watermark_embedding from user1,user2,... to revoke watermark_embedding from multiple users.

Only root can run this command. After root revokes watermark_embedding from Alice, all query results of Alice are original again.

Watermark Detection

detect-watermark.sh and detect-watermark.bat are provided for different platforms.

Usage: ./detect-watermark.sh [filePath] [secretKey] [watermarkBitString] [embed_row_cycle] [embed_lsb_num] [alpha] [columnIndex] [dataType: int/float/double]

Example: ./detect-watermark.sh /home/data/dump1.csv IoTDB*2019@Beijing 100101110100 2 5 0.05 1 float

ArgsExampleExplanation
filePath/home/data/dump1.csvsuspected data file path
secretKeyIoTDB*2019@Beijingsee watermark embedding section
watermarkBitString100101110100see watermark embedding section
embed_row_cycle2see watermark embedding section
embed_lsb_num5see watermark embedding section
alpha0.05significance level
columnIndex1specifies one column of the data to detect
dataTypefloatspecifies the data type of the detected column; int/float/double

Notes:

  • filePath: You can use export-csv tool to generate such data file. The first row is header and the first column is time. Data in the file looks like this:

    Timeroot.vehicle.d0.s1root.vehicle.d0.s1
    1970-01-01T08:00:00.001+08:00100null
  • watermark_secret_key, watermark_bit_string, embed_row_cycle and embed_lsb_num should be consistent with those used in the embedding phase.

  • alpha: It should be in the range of [0,1]. The watermark detection is based on the significance test. The smaller the alpha is, the lower the probability that the data without the watermark is detected to be watermark embedded, and thus the higher the credibility of the result of detecting the existence of the watermark in data.

  • columnIndex: It should be a positive integer.