This work addresses the vulnerability of existing deep watermarking models under known-host attacks (KOA), where adversaries exploit multiple pairs of original and watermarked images to estimate and remove the embedded residual. The study systematically reveals, for the first time, the inherent fragility of END-based architectures in such scenarios and introduces ResGuard, a novel defense module. ResGuard enhances the dependency between the embedded residual and the host image through a residual-specific augmentation loss and incorporates a plug-in auxiliary KOA noise layer to improve decoder robustness. Experimental results demonstrate that integrating ResGuard boosts watermark extraction accuracy from 59.87% to 99.81%, effectively countering diverse KOA strategies while preserving high visual quality.

Deep learning-based image watermarking commonly adopts an "Encoder-Noise Layer-Decoder" (END) architecture to improve robustness against random channel distortions, yet it often overlooks intentional manipulations introduced by adversaries with additional knowledge. In this paper, we revisit this paradigm and expose a critical yet underexplored vulnerability: the Known Original Attack (KOA), where an adversary has access to multiple original-watermarked image pairs, enabling various targeted suppression strategies. We show that even a simple residual-based removal approach, namely estimating an embedding residual from known pairs and subtracting it from unseen watermarked images, can almost completely remove the watermark while preserving visual quality. This vulnerability stems from the insufficient image dependency of residuals produced by END frameworks, which makes them transferable across images. To address this, we propose ResGuard, a plug-and-play module that enhances KOA robustness by enforcing image-dependent embedding. Its core lies in a residual specificity enhancement loss, which encourages residuals to be tightly coupled with their host images and thus improves image dependency. Furthermore, an auxiliary KOA noise layer injects residual-style perturbations during training, allowing the decoder to remain reliable under stronger embedding inconsistencies. Integrated into existing frameworks, ResGuard boosts KOA robustness, improving average watermark extraction accuracy from 59.87% to 99.81%.