The present disclosure generally concerns marking digital content received by a user unit in order to establish a link between the user unit and a specific copy of content. The disclosure more specifically concerns a user unit for watermarking digital content.. BACKGROUND ART

Nowadays, secure media players or more generally user units are available for receiving and processing Digital Right Management DRM protected content or conditional access content CAS such as pay-TV content for example. With these secure media players, it is also possible to insert a watermark in a data stream received by the secure media player, before playing or displaying the content.

An issue with DRM and/or conditional access content concerns the security. A first way to deal with this security issue is to make it difficult for a user to access the content if this user does not have the correct access means. This way is used by conditional access and DRM systems which encrypt the content and provide the decryption means only to legitimate user units.

When content is encrypted and protected by DRM, content may be decrypted only by legitimate user units. An attack can happen after this decryption and can be made on a legitimate user unit. For this reason, DRM protection is not sufficient to guarantee security of the content.

Another way to deal with security issues, which can be used alone or in complement with the first way, is to make it easier to detect and to identify a user unit or a secure media player which was used for performing illegal actions. Such illegal actions can in particular include sharing content with people who are not entitled to receive the content. Once illegal actions are detected and the user unit identified, it is possible to use countermeasures to stop these illegal actions.

There are at least two main types of illegal actions one can face within a DRM based system: · A first type is an illegitimate user that has not paid any subscription and tries to attack the system, descrambles content, tries to gain access to the system e.g. by impersonating a legitimate user, etc...

• A second type is a legitimate end user having paid a subscription, and tries to steal content to share it or to be able to view it after his license has expired.

The present disclosure concerns the second type, i.e. people who can legitimately descramble the content, and who want to keep a clear copy, for sharing with others or for their own personal usage.

A way to detect illegal actions and to identify the illegitimate user unit comprises inserting a watermark in a particular content. This watermark enables retrieving an identifier of the user unit which was used to act illegally.

In the context of the detection of illegal actions, it can be helpful to determine not only who carried out an attack, but also how this attack was carried out.

Digital content is usually compressed and encrypted before being sent to a user unit. Once decrypted by the user unit, the content has to be decompressed prior to being displayed. Illegal actions can be made on the compressed content, once decrypted, or on the uncompressed content, once decompressed. Depending on whether an attack has been made on the compressed or uncompressed content, different countermeasures or actions can be made in view of ensuring security. Thus, there is a need to determine, in case of an attack was detected, the author of the attack and when this attack took place, i.e. whether on the compressed or decompressed content. DETAILED DISCLOSURE

An object of the present disclosure is to provide a user unit and a method for marking content which may allow for the identification of the user unit which may make the content available, i.e. the user unit used for an attack.

According to one aspect of the disclosure, the user unit may comprise a receiver for receiving an encrypted data stream comprising at least encrypted digital compressed content and at least an encrypted marking message; at least one decryption unit for decrypting said encrypted data stream to produce a clear data stream comprising at least clear compressed content and a clear marking message comprising marking information and commands, said clear compressed content corresponding to the result of the decryption of said encrypted compressed content; a first marking module for applying a first watermark on at least one location of the clear compressed content, said at least one location being indicated by the marking information, thus producing a marked compressed content; a decompression module arranged to decompress said marked compressed content, thus producing a decompressed content; a second marking module for applying a second watermark on at least one location of the decompressed content, said at least one location being indicated by the marking information, thus producing a watermarked decompressed content, wherein said user unit further comprises a processing module adapted to read the marking message and to perform commands contained in said marking message.

Another object of the present disclosure is achieved by a method for watermarking digital content distributed to at least one user unit in compressed form. According to one aspect of the disclosure, the method for watermarking digital content may comprise the steps of:

- receiving a compressed digital content by said user unit;

- inserting by the user unit, a first watermark in at least a segment of said compressed digital content; - decompressing said digital content in said user unit to obtain a corresponding decompressed content;

- inserting by the user unit, a second watermark in at least a part of said decompressed content. Another object of the disclosure is to propose a method for transmitting digital content to the user unit, in view of marking the content, as well as a method for detecting watermarks on content found for example on illegal content sources.

According to the disclosure, the method for transmitting digital content may comprise the steps of:

- compressing an uncompressed content to obtain a corresponding compressed content;

- forming a marking message containing at least a command for inserting at least a first watermark in said compressed content and a second watermark in said uncompressed content;

- encrypting said compressed content and said marking message;

- transmitting said encrypted content and marking message to at least one user unit.

According to a further aspect of the disclosure, the method for detecting at least one watermark may comprise the steps of:

- receiving a content in compressed form;

- searching for a watermark in the compressed content;

- decompressing said compressed content to obtain a corresponding decompressed content;

- searching for a watermark in the decompressed content.

The user unit and the method advantageously allow for the determination of the type of attack carried out on a content.

Thanks to the disclosure, it is possible to determine an identity of a user unit which has been used to make a content available to people who do not necessarily have the rights required to legally access the content. Knowing the type of the attack used to make content illegally available is advantageously useful in providing for improved security and adequate countermeasure reaction. Indeed, two kinds of attacks are essentially used. According to a first one, the decrypted compressed content is copied and made available to users. The second one consists in copying the decompressed content and making this decompressed content available. The type of reaction to these attacks can be different in terms of countermeasures and in terms of timing. Thus if an attack is made on an uncompressed content representing a sports game made available with a very short time delay, the countermeasure should be very quick. A countermeasure can target only the fraudulent user unit. If an attack results in making movies available in compressed form on a website, the countermeasure can affect not only the user unit, but also the website. BRIEF DESCRIPTION OF DRAWINGS

The present disclosure and its advantages will be better understood with reference to the enclosed drawings and to the detailed description of specific embodiments of the disclosure, in which:

- Fig. 1 is a schematic view of a user unit according to an embodiment of the present disclosure;

- Fig. 2 illustrates a method for transmitting content according to an embodiment of the present disclosure;

- Fig 3 represents a first embodiment of a method for detecting a watermark within a content; and - Fig. 4 represents a second embodiment of a method for detecting a watermark within a content. MODES FOR CARRYING OUT THE DISCLOSURE

With reference to Fig. 1 , a user unit 10 according to the present disclosure comprises a receiver for receiving content from a content provider or other sources of content. This content is referred herein as encrypted digital content or encrypted data stream. Such content can be made available to a user unit via standard means for distributing content, such as a Content Distribution Network CDN, satellite, broadcast, owned network, cable and similar equipment. Usually, the content is compressed by the content provider and encrypted in order to control the use of said content by the user unit. This control can be made by sending or not sending a key enabling a user unit to decrypt the encrypted content.

The user unit further comprises a decryption unit for decrypting contents received in encrypted form from the receiver. This decryption unit receives encrypted digital content or an encrypted data stream. The decryption unit may further receive a means for decrypting the content or a part of the content. The decryption means is only received by the decryption unit if the user unit is entitled to decrypt the encrypted content.

According to a first embodiment, a verification whether or not the user unit is entitled to decrypt the content is performed in a management center. The means for decrypting content is sent by the management center to the relevant user unit. If the management center considers that the user unit was used fraudulently, it can prevent sending the decryption means, which implies denying access to the content by the user unit.

According to a second embodiment, the decryption means is always received by the user unit. This decryption means is however sent to the decryption unit only if the user unit is entitled to access the content. This can be checked for example by the presence of rights. The decryption means may be a decryption key or a means for deriving a decryption key.A means for deriving a decryption key could comprise for example a value and a function. Processing the value with the function could result in the decryption key. A typical example of a suitable function is a one-way function such as a hash.

The user unit comprises a demultiplexing module. If the user unit has the rights and/or the key required to access a specific content, said content is decrypted in the decryption unit. The decryption unit outputs a clear data stream which is a multiplex of several streams. The demultiplexing module is in charge of demultiplexing this data stream.

The user unit comprises a processing module for processing messages received from the content provider. The messages processed are, among other, marking messages used during the insertion of a watermark into the content.

The user unit also comprises a first marking module in charge of inserting a first watermark in the content and a second marking module in charge of inserting a second watermark in the content. This will be explained in detail below.

The user unit also comprises a decompression module arranged to decompress marked compressed content.

As shown in Fig.2 is a method transmitting content from a content provider to at least a user unit. A specific content intended for a user unit is generally first compressed by an encoder or a transcoder at the management center or a content provider. Several methods for encoding or transcoding content are well-known and are not described herein. Well-known methods are also available for determining locations in the compressed content in which the modification of one or several values, or one or several bits, do not affect the rendering of the content. In this context, the fact that a modification does not affect the rendering of the content means that a compressed content formed by the compression of an original uncompressed content can be decompressed, and the result of this decompression is a decompressed content that is similar to the original uncompressed content. The similarity of both original and decompressed contents means that the decompressed content is visually identical to the original content or that there are only slight visual differences between both contents.

The content provider or management center in charge of processing a content for user units, also prepares a marking message. This marking message is formed by a watermark manager and may comprise several elements. The marking message comprises at least a command for inserting a first watermark in the compressed content and a command for inserting a second watermark in the decompressed content. The marking message further comprises marking information allowing the user unit to determine the locations at which watermarks shall be inserted. The marking information can be a time stamp, a temporal value, a numerical value corresponding for example to a number of frames or any other similar information. The marking message is preferably specific to a given content in order to minimize the impact of the modification of a value at the location determined from the marking information. According to a particular embodiment, the marking message is comprised in an ID3 metadata, encapsulated in a data stream, as explained below with more details.

It should be noted that digital content usually comprises video components as well as audio components. Usually, only the video components are watermarked. However, it is also possible to watermark the audio component or both components.

According to an embodiment, once the content is encoded and the marking message prepared, these elements are multiplexed and encapsulated to form a data stream. The data stream is further encrypted. The encapsulation of the marking message with the digital content prevents a user from deleting the marking message. The deletion of the marking message prevents the user unit from inserting watermarks.

According to another embodiment, the marking message further comprises a key or keys, right or rights or the decryption means required to decrypt the encrypted content. Another embodiment to force the user to insert watermarks is to block the rendering of a content if no marking message is detected.

The marking message and the compressed content can be encrypted independently and sent separately. Once encrypted, the data stream is sent to the corresponding user unit(s) or made available to user units on a content distribution network or other similar content sources.

A key or a decryption means is sent to the concerned user unit, depending on different implementations and on the environment. In some embodiments, the key or decryption means is sent to a user unit only if the user is entitled to access the content.

According to other embodiments, the key or decryption means is sent to all the user units. However, the key or decryption means is transferred to the decryption unit only if the user unit is allowed to access the content. The key or decryption means isused by the decryption unit to access the content.

The decryption unit decrypts the encrypted data stream to obtain a clear data stream. In other words, the decryption unit produces a clear compressed content and a clear marking message from an encrypted digital content and from an encrypted marking message. The clear data stream is transmitted to the demultiplexing module which demultiplexes the components of the data stream. These components comprise marking messages, compressed video content and/or compressed audio content. The marking message is sent to the processing module as shown in Fig .1 , in which it is processed in particular to read a command for inserting a first watermark. The command comprised in ID3 metadata within the data stream, comprises marking information indicating at least a location in which the first watermark is to be inserted. The watermark may correspond to a unique identifier of the user unit, which can be an alphanumerical value. This value can be processed to obtain a watermark. The processing can be a hash, an encryption, a conversion such as for example a conversion in binary code, or a conversion using a conversion table. The watermark can be associated with watermark data. The watermark data is an operation that has to be applied to video content, with at least the watermark as an entry value. The operations can replace one or several bits of the video by a bit of the watermark or combine a bit of the video content with a bit of the watermark. The result of the operation is a video watermark.

As mentioned above, the watermark may correspond to a unique identifier of a user unit. The watermark can also correspond to an identifier of a type of platform on which content is rendered or consumed. It can also correspond to an identifier of a data source. The watermark can correspond to only one of the above mentioned identifiers or to several ones. In the case that the watermark corresponds to an identifier of a data source, information enabling forming this identifier may be comprised in the marking message. Depending on the specific implementation of the watermarking, it is possible to detect and read the watermark without having the original file. On the contrary, in some methods, the original file is required to be able to read the watermark, essentially by comparing the original and the watermarked files.

Watermarking a compressed content can usually not be performed on a single segment of the compressed content. On the contrary, depending on the watermarking process used, it is possible that only one bit can be changed on a segment of the compressed content. In this case, several segments will be used to form the watermark. In a typical embodiment, one bit of a watermark is inserted into one segment of the compressed content. Therefore, inserting a complete watermark can require a number of segments corresponding to several minutes of video content.

Once the received content is decrypted, a first watermark is inserted in the compressed content, as mentioned above using generally several segments. The insertion begins in a location determined by marking information contained in the marking message. This results in a marked compressed content. The marked compressed content is then decompressed in the decompression module of the user unit. This decompression can result in a decompressed content, usually comprising at least a decompressed audio content and a decompressed video content. It is to be noted that the decompressed content comprises the first watermark. The decompressed video content is then marked with a second watermark. More specifically, the second watermarking module of the user unit determines a second watermark. This second watermark can for example be determined from the unique identifier of the user unit or from a type of platform or an identifier of a data source. Marking information contained in the marking message is used to determine a location in which the second watermark must be inserted. Usually, the second watermark can be inserted in a part of the decompressed content such as a single video frame. The second watermark could also be formed by modifications of several frames. The watermarks can also be redundant. The watermark uses watermark data to change the video and a video watermark is obtained.

The first and second watermarks can be identical or different, even if they are derived from a single unique identifier. A single user unit can have several unique identifiers. The first and second watermarks can correspond to the same unique identifier or to different ones. The decompressed watermarked content can be used and, in particular, sent to a rendering device. As mentioned above, watermarks can correspond to a unique identifier of a user unit or to an identifier of a type of platform on which content is rendered or consumed or to an identifier of a data source for example.

If an ill-intentioned user makes content available on a content distribution network or on a website or other similar content source, it is advantageously possible to recognize the user unit from which such leak originates and possibly, to block this user unit. It is also possible to determine at which level the attack took place, i.e. on the compressed content or on the uncompressed content. An attack can essentially take place in two different "worlds", i.e. in the compressed world or in the uncompressed world. More specifically, an attack can take place at three different places, one of them corresponding to compressed content and the two others corresponding to uncompressed content.

With reference to Fig. 1 , the attack on marked compressed content can consist in extracting data output from the first marking module. This attack is referred to as Attack 1 on Fig. 1 .

A first attack on the decompressed content can consist in extracting data at the output of the second marking module. This attack is referred to as Attack 2. Both attacks Attack 1 and Attack 2 imply that the attacker has means to access the video stream within the user unit.

A third type of attack consists in attacking the content rendered on a rendering device. This type of attack is known as screen grabbing, screen ripping, screen recording or screen sharing for example. This attack is referred to as Attack 3 on Fig. 1 . In this type of attack, the digital content is attacked at the output of the user unit, which may require different countermeasures than those required when the content is attacked within the user unit.

When a security center detects a specific content, for example on an illegal website, the security center determines whether a watermark is present in the compressed content. This determination can be made using different methods, depending on the method used for inserting the first watermark in the compressed content. As mentioned previously, some watermarking methods require the original content and the watermarked content to be compared to determine the value of the watermark. Some other allows for the watermark to be retrieved without the original file.

In order to detect the watermark, the watermarked video is first extracted from the content found on the data source. This watermarked video is processed with the watermarked data to obtain the watermark. This watermark can in turn be processed to obtain the user identifier and/or another identifier corresponding to or derivable from this watermark. Thanks to the marking message and more specifically, to ID3 metadata hold by the management center, forensic research is accelerated. In the live video re-sharing case, it is a key point to immediately find out who is leaking the content, to deactivate the corresponding account. According to a preferred embodiment, the security center receives, from the management center, the marking message corresponding to the specific content within which the watermark is expected to be found. This marking message is processed to extract marking information. The marking information can also be sent from the management center to the security center, without the rest of the marking message. As mentioned above, the marking information allows for locations at which watermarks are inserted to be defined. With this marking information, the search for a watermark can be limited to the locations indicated by this marking information.

It should be noted that the content within which a search for watermarks is performed can be modified by the user. For this reason, it is possible to search for a watermark at locations which are not only the exact locations indicated by the marking information of the marking message but also at locations that are close to said locations. If no watermark is found, it is possible to extend the search into other locations and even to search through the whole content.

This applies to searches for watermark in compressed content as well as in uncompressed content. As it will be explained below, it is possible to begin a search for a watermark on the compressed content or on the uncompressed content. A first embodiment for detecting a watermark is explained with reference to Fig. 3. According to this first embodiment, a first watermark is searched in the compressed content. As mentioned above, the marking information may be used to facilitate the search of the watermark. This watermark is searched with a method depending on how it has been inserted in the content. If a watermark is detected, it can be used to determine the user identifier and/or another identifier. The content available on the illegal source is first decompressed and a search for a second watermark is performed in this decompressed content. As for the first watermark, the search may use the original content or not, depending on the method used to insert this second watermark. The methods used to insert the first and second watermark may be independent. This means that comparison of the watermarked content can be requested for the first watermark and not for the second, for the second and not for the first, for both watermarks or for none of them. Also, as for the detection of the first watermark, marking information of the marking message can be used to circumvent the search which is performed on the second watermark at locations in which this watermark is expected to be.

The marking information can be retrieved by processing the marking message sent from the management center to the security center. The marking information can also be received from the management center directly, without receiving the rest of the marking message. If a second watermark is found in the content, this second watermark can be used to determine a unique user identifier of the respective user unit and/or another identifier corresponding to or derivable from this watermark. In some embodiments, this user identifier should correspond to the user identifier corresponding to the first watermark. It should be noted that a user unit can have one or several unique identifiers. In the case that the user unit has several unique identifiers, one of them can be used to define the first watermark and another one can be used to define the second watermark. One watermark can be used as a unique identifier of the user unit and another one can identify the type of platform, the data source or other similar information. It is also possible to combine two or more identifiers in the same watermark, for example a user unique identifier and an identifier of the type of platform.

As mentioned above, the content can be attacked at three different places, namely at the output of the first marking module, at the output of the second marking module and after the rendering of the digital content. If only the first watermark is found, this means that an attack was carried out on the compressed content, i.e. at the output of the first marking module. If a first watermark and a second watermark are found, this means that the attack was carried out on the decompressed content, more specifically at the output of the second marking module. In both cases, this means that the attacker was able to gain access to content within the user unit.

If only the second watermark is found, one can deduct that the attack was carried out at the output of the user unit, after the digital content has been rendered by a rendering module of the user unit. In the method illustrated in Fig. 3, a search for a first watermark was carried out first on compressed content and then on uncompressed content. It is also possible to search first for a second watermark in the decompressed content. This corresponds to the embodiment illustrated in Fig. 4. In this embodiment, the content found on a content distribution network or another source is first decompressed. A search for a second watermark is performed ideally in locations indicated by the marking information of the marking message. If a second watermark is found, the user identifier of the source of the content can be determined. According to a first variant, it is possible to stop the search at this stage as the faulting user unit has been identified. However, according to a preferred embodiment, the search for another watermark is continued. If a watermark is found in the compressed content, this means that an attack was carried out either within the user unit, after the second marking module or outside of the user unit, after the rendering of the content.

According to the method illustrated in Fig. 4, a watermark is searched in the compressed content. If a watermark is found in the compressed content, this means that the attack was carried out at the output of the first marking module. This corresponds to Attack 1 or Attack 2 in Fig. 4. If no watermark is found in the compressed content, this means that the attack has been carried out on the decompressed content, after the rendering or no attack has been carried out.

Although it does not enable determining where the attack took place, it is possible to stop the search for a watermark as soon as a second watermark is found. This is interesting as the time required for finding a second watermark, i.e. a watermark inserted in the decompressed content, is usually shorter than the time required for finding a first watermark, i.e. a watermark that is inserted in a compressed content. This can be useful for example in a case where a sports game is accessed by a user unit having the corresponding rights and where the user "copies" the decompressed content and makes this content available on an illegal source. In this case, it is important to quickly identify the ill-intentioned user and to use countermeasures against the user unit. It is possible, in a second time, for example when countermeasures have been activated, to continue the search to precisely determine where the attack took place. This is illustrated at the bottom part of Fig. 4. In this case, the content is decompressed and a watermark is searched, usually with the help of the marking information. If a watermark is present, this means that the attack corresponds either to Attack 2 or Attack 3 as illustrated in Fig. 1 . If no watermark is present, this means that the attack corresponds to Attack 1 or to no attack at all. By combining the information obtained from the search for the first and second watermark, it is possible to precisely determine the place where the content was attacked.

If no second watermark is detected in the decompressed content, the security center uses the compressed content found on the content source. As previously, this search can use marking information of a corresponding marking message. If a watermark is found, this watermark can be used to determine the fraudulent user unit. The presence of the first watermark only means that the attack was carried out on the compressed content.

The disclosure finally provides a method to convey within the data stream's ID3 metadata the elements required by user units to know where to place the watermarks. This advantageously avoids having to watermark large portions of the content or the whole content, therefore requiring more processing capacities on the user unit, and also ensures that the research of said watermarks is accelerated as these insertion points are only known by the management center.

Although embodiments of the present disclosure have been described with reference to specific example embodiments, it will be evident that various modifications and changes may be made to these embodiments without departing from the broader scope of these embodiments. Accordingly, the specification and drawings are to be regarded in an illustrative rather than a restrictive sense. The accompanying drawings that form a part hereof, show by way of illustration, and not of limitation, specific embodiments in which the subject matter may be practiced. The embodiments illustrated are described in sufficient detail to enable those skilled in the art to practice the teachings disclosed herein. Other embodiments may be utilized and derived there from, such that structural and logical substitutions and changes may be made without departing from the scope of this disclosure. This Detailed description, therefore, is not to be taken in a limiting sense, and the scope of various embodiments is defined only by the appended claims, along with the full range of equivalents to which such claims are entitled.

Such embodiments of the inventive subject matter may be referred to herein, individually and/or collectively, by the term "disclosure" merely for convenience and without intending to voluntarily limit the scope of this application to any single inventive concept if more than one is in fact disclosed. Thus, although specific embodiments have been illustrated and described herein, it should be appreciated that any arrangement calculated to achieve the same purpose may be substituted for the specific embodiments shown. This disclosure is intended to cover any and all adaptations or variations of various embodiments. Combinations of the above embodiments, and other embodiments not specifically described herein, will be apparent to those of skill in the art upon reviewing the above description.